This document is an excerpt from the EUR-Lex website
Document 62023CJ0200
Judgment of the Court (First Chamber) of 4 October 2024.#Agentsia po vpisvaniyata v OL.#Request for a preliminary ruling from the Varhoven administrativen sad.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Publication in the commercial register of a company’s constitutive instrument containing personal data – Directive (EU) 2017/1132 – Non-compulsory personal data – Lack of consent of the data subject – Right to erasure – Non-material damage.#Case C-200/23.
Judgment of the Court (First Chamber) of 4 October 2024.
Agentsia po vpisvaniyata v OL.
Request for a preliminary ruling from the Varhoven administrativen sad.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Publication in the commercial register of a company’s constitutive instrument containing personal data – Directive (EU) 2017/1132 – Non-compulsory personal data – Lack of consent of the data subject – Right to erasure – Non-material damage.
Case C-200/23.
Judgment of the Court (First Chamber) of 4 October 2024.
Agentsia po vpisvaniyata v OL.
Request for a preliminary ruling from the Varhoven administrativen sad.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Publication in the commercial register of a company’s constitutive instrument containing personal data – Directive (EU) 2017/1132 – Non-compulsory personal data – Lack of consent of the data subject – Right to erasure – Non-material damage.
Case C-200/23.
Court reports – general
ECLI identifier: ECLI:EU:C:2024:827
Provisional text
JUDGMENT OF THE COURT (First Chamber)
4 October 2024 (*)
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Publication in the commercial register of a company’s constitutive instrument containing personal data – Directive (EU) 2017/1132 – Non-compulsory personal data – Lack of consent of the data subject – Right to erasure – Non-material damage )
In Case C‑200/23,
REQUEST for a preliminary ruling under Article 267 TFEU from the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria), made by decision of 21 March 2023, received at the Court on 28 March 2023, in the proceedings
Agentsia po vpisvaniyata
v
OL,
intervening party:
Varhovna administrativna prokuratura,
THE COURT (First Chamber),
composed of A. Arabadjiev, President of the Chamber, T. von Danwitz (Rapporteur), P.G. Xuereb, A. Kumin and I. Ziemele, Judges,
Advocate General: L. Medina,
Registrar: R. Stefanova-Kamisheva, Administrator,
having regard to the written procedure and further to the hearing on 7 March 2024,
after considering the observations submitted on behalf of:
– Agentsia po vpisvaniyata, by I.D. Ivanov and D.S. Miteva, and by Z.N. Mandazhieva, advokat,
– OL, acting on her own behalf, and by I. Stoynev and T. Tsonev, advokati,
– the Bulgarian Government, by T. Mitova and R. Stoyanov, acting as Agents,
– the German Government, by J. Möller and P.-L. Krüger, acting as Agents,
– Ireland, by M. Browne, Chief State Solicitor, A. Joyce, M. Lane and M. Tierney, acting as Agents, and by I. Boyle Harper, Barrister-at-Law,
– the Italian Government, by G. Palmieri, acting as Agent, and by G. Natale, avvocato dello Stato,
– the Polish Government, by B. Majczyna, acting as Agent,
– the Finnish Government, by A. Laine, acting as Agent,
– the European Commission, by A. Bouchagiar, C. Georgieva, H. Kranenborg and L. Malferrari, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 30 May 2024,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Articles 3 and 4 of Directive 2009/101/EC of the European Parliament and of the Council of 16 September 2009 on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 [EC], with a view to making such safeguards equivalent (OJ 2009 L 258, p. 11), and Articles 4, 6, 17, 58 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request was made in proceedings between the Agentsia po vpisvaniyata (Registration Agency, Bulgaria) (‘the Agency’) and OL concerning the Agency’s refusal to erase certain personal data relating to OL contained in a company’s constitutive instrument published in the commercial register.
Legal context
European Union law
Directive (EU) 2017/1132
3 Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ 2017 L 169, p. 46) repealed and replaced Directive 2009/101 as from its entry into force, namely 20 July 2017.
4 Recitals 1, 7, 8 and 12 of Directive 2017/1132 state:
‘(1) … [Directive 2009/101] … and [Directive] 2012/30/EU of the European Parliament and of the Council [of 25 October 2012 on coordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 54 [TFEU], in respect of the formation of public limited liability companies and the maintenance and alteration of their capital, with a view to making such safeguards equivalent (OJ 2012 L 315, p. 74)] have been substantially amended several times … In the interests of clarity and rationality those Directives should be codified.
…
(7) The coordination of national provisions concerning disclosure, the validity of obligations entered into by, and the nullity of, companies limited by shares or otherwise having limited liability, is of special importance, particularly for the purpose of protecting the interests of third parties.
(8) The basic documents of a company should be disclosed in order for third parties to be able to ascertain their contents and other information concerning the company, especially particulars of the persons who are authorised to bind the company.
…
(12) Cross-border access to company information should be facilitated by allowing, in addition to the compulsory disclosure made in one of the languages permitted in the company’s Member State, the voluntary registration in additional languages of the required documents and particulars. Third parties acting in good faith should be able to rely on the translations thereof.’
5 In Section 1 of Chapter II of Title I of Directive 2017/1132, entitled ‘Incorporation of the public liability company’, Article 4 of that directive, entitled ‘Compulsory information to be provided in the statutes or instruments of incorporation or separate documents’, provides:
‘The following information at least shall appear in either the statutes or the instrument of incorporation or a separate document published in accordance with the procedure laid down in the laws of each Member State in accordance with Article 16:
…
(i) the identity of the natural or legal persons or companies or firms by which or in whose name the statutes or the instrument of incorporation, or where the company was not formed at the same time, the drafts of those documents, have been signed;
…’
6 Section 1 of Chapter III of Title I of that directive, headed ‘General provisions’, comprises Articles 13 to 28 thereof.
7 Under Article 13 of that directive, entitled ‘Scope’:
‘The coordination measures prescribed by this Section shall apply to the laws, regulations and administrative provisions of the Member States relating to the types of company listed in Annex II.’
8 Article 14 of Directive 2017/1132, entitled ‘Documents and particulars to be disclosed by companies’, provides:
‘Member States shall take the measures required to ensure compulsory disclosure by companies of at least the following documents and particulars:
(a) the instrument of constitution, and the statutes if they are contained in a separate instrument;
(b) any amendments to the instruments referred to in point (a), including any extension of the duration of the company;
(c) after every amendment of the instrument of constitution or of the statutes, the complete text of the instrument or statutes as amended to date;
(d) the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law or as members of any such body:
(i) are authorised to represent the company in dealings with third parties and in legal proceedings; it shall be apparent from the disclosure whether the persons authorised to represent the company may do so alone or are required to act jointly;
(ii) take part in the administration, supervision or control of the company;
…’
9 Article 15 of that directive, entitled ‘Changes in documents and particulars’, provides, in paragraph 1:
‘Member States shall take the measures required to ensure that any changes in the documents and particulars referred to in Article 14 are entered in the competent register referred to in the first subparagraph of Article 16(1) and are disclosed, in accordance with Article 16(3) and (5), normally within 21 days of receipt of the complete documentation regarding those changes including, if applicable, the legality check as required under national law for entry in the file.’
10 Under Article 16 of that directive, entitled ‘Disclosure in the register’:
‘1. In each Member State, a file shall be opened in a central, commercial or companies register (“the register”), for each of the companies registered therein.
…
3. All documents and particulars which are required to be disclosed pursuant to Article 14 shall be kept in the file, or entered in the register; the subject matter of the entries in the register shall in every case appear in the file.
Member States shall ensure that the filing by companies, as well as by other persons and bodies required to make or assist in making notifications, of all documents and particulars which are required to be disclosed pursuant to Article 14 is possible by electronic means. In addition, Member States may require all, or certain categories of, companies to file all, or certain types of, such documents and particulars by electronic means.
All documents and particulars referred to in Article 14 which are filed, whether by paper means or by electronic means, shall be kept in the file, or entered in the register, in electronic form. To this end, Member States shall ensure that all such documents and particulars which are filed by paper means are converted by the register to electronic form.
…
4. A copy of all or any part of the documents or particulars referred to in Article 14 shall be obtainable on application. Applications may be submitted to the register by paper means or by electronic means as the applicant chooses.
…
5. Disclosure of the documents and particulars referred to in paragraph 3 shall be effected by publication in the national gazette designated for that purpose by the Member State, either of the full text or of a partial text, or by means of a reference to the document which has been deposited in the file or entered in the register. The national gazette designated for that purpose may be kept in electronic form.
Member States may decide to replace publication in the national gazette with equally effective means, which shall entail at least the use of a system whereby the information disclosed can be accessed in chronological order through a central electronic platform.
6. The documents and particulars may be relied on by the company as against third parties only after they have been disclosed in accordance with paragraph 5, unless the company proves that the third parties had knowledge thereof.
…
7. Member States shall take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 5 and what appears in the register or file.
However, in cases of discrepancy, the text disclosed in accordance with paragraph 5 may not be relied on as against third parties; such third parties may nevertheless rely thereon, unless the company proves that they had knowledge of the texts deposited in the file or entered in the register.
…’
11 Article 21 of Directive 2017/1132, entitled ‘Language of disclosure and translation of documents and particulars to be disclosed’, provides:
‘1. Documents and particulars to be disclosed pursuant to Article 14 shall be drawn up and filed in one of the languages permitted by the language rules applicable in the Member State in which the file referred to in Article 16(1) is opened.
2. In addition to the compulsory disclosure referred to in Article 16, Member States shall allow translations of documents and particulars referred to in Article 14 to be disclosed voluntarily in accordance with Article 16 in any official language(s) of the [European] Union.
Member States may prescribe that the translation of such documents and particulars be certified.
Member States shall take the necessary measures to facilitate access by third parties to the translations voluntarily disclosed.
3. In addition to the compulsory disclosure referred to in Article 16, and to the voluntary disclosure provided for under paragraph 2 of this Article, Member States may allow the documents and particulars concerned to be disclosed, in accordance with Article 16, in any other language(s).
…
4. In cases of discrepancy between the documents and particulars disclosed in the official languages of the register and the translation voluntarily disclosed, the latter may not be relied upon as against third parties. …’
12 Under Article 161 of that directive, entitled ‘Data protection’:
‘The processing of personal data carried out in the context of this Directive shall be subject to Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)].’
13 Article 166 of that directive, headed ‘Repeal’, provides:
‘Directives … [2009/101] … and [2012/30] … are repealed …
References to the repealed Directives shall be construed as references to this Directive and shall be read in accordance with the correlation table in Annex IV.’
14 Annex II to Directive 2017/1132 lists the types of companies referred to in Article 7(1), Article 13, Article 29(1), Article 36(1), Article 67(1) and point (a) of Article 119(1) of that directive, including, for Bulgaria, OODs.
15 In accordance with the correlation table in Annex IV to Directive 2017/1132, first, Articles 2, 2a, 3, 4 and 7a of Directive 2009/101 correspond to Articles 14, 15, 16, 21 and 161 of Directive 2017/1132, respectively. Second, Article 3 of Directive 2012/30 corresponds to Article 4 of Directive 2017/1132.
Directive (EU) 2019/1151
16 Directive 2017/1132 was amended, inter alia, by Directive (EU) 2019/1151 of the European Parliament and of the Council of 20 June 2019 amending Directive 2017/1132 as regards the use of digital tools and processes in company law (OJ 2019 L 186, p. 80), which entered into force on 31 July 2019 and which provides, in Article 1 thereof, entitled ‘Amendments to Directive [2017/1132]’:
‘Directive [2017/1132] is amended as follows:
…
(6) Article 16 is replaced by the following:
“Article 16
Disclosure in the register
1. In each Member State, a file shall be opened in a central, commercial or companies register (‘the register’), for each of the companies registered therein.
…
2. All documents and information that are required to be disclosed pursuant to Article 14 shall be kept in the file referred to in paragraph 1 of this Article, or entered directly in the register, and the subject matter of the entries in the register shall be recorded in the file.
All documents and information referred to in Article 14, irrespective of the means by which they are filed, shall be kept in the file in the register or entered directly into it in electronic form. Member States shall ensure that all documents and information that are filed by paper means are converted by the register to electronic form as quickly as possible.
…
3. Member States shall ensure that the disclosure of the documents and information referred to in Article 14 is effected by making them publicly available in the register. In addition, Member States may also require that some or all of those documents and information are published in a national gazette designated for that purpose, or by equally effective means. …
4. Member States shall take the necessary measures to avoid any discrepancy between what is in the register and in the file.
Member States that require the publication of documents and information in a national gazette or on a central electronic platform shall take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 3 and what is published in the gazette or on the platform.
In cases of any discrepancies under this Article, the documents and information made available in the register shall prevail.
5. The documents and information referred to in Article 14 may be relied on by the company as against third parties only after they have been disclosed in accordance with paragraph 3 of this Article, unless the company proves that the third parties had knowledge thereof.
…
6. Member States shall ensure that all documents and information submitted as part of the formation of a company, the registration of a branch, or a filing by a company or a branch, is stored [in] the registers in a machine-readable and searchable format or as structured data …”
(7) the following Article is inserted:
“Article 16a
Access to disclosed information
1 Member States shall ensure that copies of all or any part of the documents and information, referred to in Article 14, may be obtained from the register on application …
…”
(19) Article 161 is replaced by the following:
“Article 161
Data protection
The processing of any personal data carried out in the context of this Directive shall be subject to [the GDPR].”’
17 Article 2 of Directive 2019/1151, entitled ‘Transposition’, provides:
‘1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 1 August 2021. …
2. Notwithstanding paragraph 1 of this Article, Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with … point (6) of Article 1 of this Directive, as regards Article 16(6) of Directive [2017/1132], by 1 August 2023.
3. By way of derogation from paragraph 1, Member States which encounter particular difficulties in transposing this Directive shall be entitled to benefit from an extension of the period provided for in paragraph 1 of up to one year. …
…’
The GDPR
18 Recitals 26, 32, 40, 42, 43, 50, 85, 143 and 146 of the GDPR state:
‘(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. … To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. …
…
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. … Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. …
…
(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
…
(42) Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. … Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case …
…
(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. …
…
(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …
…
(143) … each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. …
…
(146) … The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’
19 Article 4 of the GDPR, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…
(9) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
…
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
…’
20 Article 5 of the GDPR, headed ‘Principles relating to processing of personal data’, states:
‘1. Personal data shall be:
…
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
21 Under Article 6 of the GDPR, entitled ‘Lawfulness of processing’:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…
3. The basis for the processing referred to in point[s] (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
…’
22 Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”), provides:
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
…
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
…
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…’
23 Article 21(1) of the GDPR is worded as follows:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
24 Article 58 of the GDPR provides:
‘1. Each supervisory authority shall have all of the following investigative powers:
…
2. Each supervisory authority shall have all of the following corrective powers:
…
3. Each supervisory authority shall have all of the following authorisation and advisory powers:
…
(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
…
4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the [Charter of Fundamental Rights of the European Union (“the Charter”)].
5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.’
25 Under Article 82 of the GDPR, entitled ‘Right to compensation and liability’:
‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
…’
26 Article 94 of the GDPR provides:
‘1. Directive [95/46] is repealed with effect from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this Regulation. …’
Bulgarian law
The Law on the registers
27 Article 2 of the Zakon za targovskia registar i registara na yuridicheskite litsa s nestopanska tsel (Law on the commercial register and the register of not-for-profit legal persons) (DV No 34 of 25 April 2006), in the version applicable to the dispute in the main proceedings (‘the Law on the registers’), provides:
‘(1) The commercial register and the register of not-for-profit legal persons are a common electronic database containing the particulars entered pursuant to a law, and the acts made available to the public pursuant to a law, which concern traders and the branches of foreign traders, not-for-profit legal persons and the branches of foreign not-for-profit legal persons.
(2) The particulars and acts referred to in paragraph 1 shall be made available to the public without containing the information constituting personal data within the meaning of Article 4(1) of [the GDPR], with the exception of information that must be made available to the public by law.’
28 Article 3 of that law provides:
‘The commercial register and the register of not-for-profit legal persons shall be maintained by the [Agency], which is attached to the Ministar na pravosadieto [Minister for Justice, Bulgaria].’
29 Article 6(1) of that law lays down:
‘All traders and legal persons operating on a not-for-profit basis shall apply to be entered in the commercial register and the register of not-for-profit legal persons, respectively, stating the particulars entry of which is required and submitting the documents to be made available to the public.’
30 Article 11 of that law is worded as follows:
‘(1) The commercial register and the register of not-for-profit legal persons are public registers. Everyone shall be entitled to access freely and free of charge the database constituting the registers.
(2) The [Agency] shall ensure registered access to the file of the trader or not-for-profit legal person.’
31 Article 13(1), (2), (6) and (9) of the Law on the registers provides:
‘(1) Entry, erasure and making available to the public shall be done by means of an application form.
(2) The application shall contain:
1. the contact details of the applicant;
…
3. the particulars subject to entry, the entry erasure of which is requested, or the act to be made available to the public;
…
(6) The application shall be accompanied by the documents or, as the case may be, the act to be made available to the public, in accordance with the requirements of the law. The documents shall be submitted in the form of an original, a copy authenticated by the applicant or a notarised copy. The applicant shall also submit authenticated copies of the acts to be made available to the public in the commercial register, in which personal data other than those required by law have been redacted.
…
(9) Where the application or the attached documents refer to personal data which are not required by law, the persons who provided them are assumed to have consented to their processing by the [Agency] and to them being made available to the public.
…’
The Commercial Code
32 Point (3) of Article 101 of the Targovski zakon (Commercial Code) (DV No 48 of 18 June 1991), in the version applicable to the dispute in the main proceedings (‘the Commercial Code’), provides that a company’s constitutive instrument must contain ‘the name, business name and unique identification code of members’.
33 As set out in Article 119 of the Commercial Code:
‘(1) Registration of the company in the commercial register shall require:
1. the submission of the company’s constitutive instrument which is [to be] made available to the public;
…
2. The data referred to in point 1 … shall be entered in the register …
…
(4) For the purposes of amending or supplementing the company’s constitutive instrument in the commercial register, a copy of that instrument containing all amendments and all addenda, authenticated by the body representing the company, shall be submitted for the purpose of being made available to the public.’
Decree No 1 on the maintenance, retention and access to the commercial register and the register of not-for-profit legal persons
34 Article 6 of the Naredba n 1 za vodene, sahranyavane i dostap do targovskia registar i do registara na yuridicheskite litsa s nestopanska tsel (Decree No 1 on the maintenance, retention and access to the commercial register and the register of not-for-profit legal persons) of 14 February 2007 (DV No 18 of 27 February 2007), adopted by the Ministar na pravosadieto (Minister for Justice), in the version applicable to the dispute in the main proceedings, provides:
‘Registration and removal from the commercial register and the register of not-for-profit legal persons shall be carried out on the basis of an application form in accordance with the annexes [containing specific forms]. Documents from the commercial register and the register of not-for-profit legal persons shall be made available to the public based on an application form in accordance with the annexes [containing specific forms].’
The dispute in the main proceedings and the questions referred for a preliminary ruling
35 OL is a member of ‘Praven Shtit Konsulting’ OOD, a limited liability company governed by Bulgarian law, which was registered on 14 January 2021 in the commercial register following the submission of a company’s constitutive instrument dated 30 December 2020 and signed by the members of that company (‘the constitutive instrument concerned’).
36 That instrument, which includes the surname, first name, identification number, identity card number, date and place of issue of that card, as well as OL’s address and signature, was made available to the public by the Agency as submitted.
37 On 8 July 2021, OL requested the Agency to erase the personal data relating to her contained in that constitutive instrument, stating that, if the processing of those data was based on her consent, she was withdrawing that consent.
38 In the absence of a reply from the Agency, OL brought an action before the Administrativen sad Dobrich (Administrative Court, Dobrich, Bulgaria) which, by a judgment of 8 December 2021, annulled the implied refusal of the Agency to erase those data and referred the case back to the Agency for a new decision.
39 In order to comply with that judgment, and with a similar judgment concerning the other company member who had taken the same step, the Agency, by letter of 26 January 2022, stated that an authenticated copy of the constitutive instrument concerned in which the personal data of the company members, other than the personal data required by law, were redacted had to be sent to it in order for OL’s request for erasure of her personal data to be granted.
40 On 31 January 2022, OL again brought an action before the Administrativen sad Dobrich (Administrative Court, Dobrich) seeking annulment of that letter and an order that the Agency compensate her for the alleged non-material damage caused by that letter which infringed the rights conferred by the GDPR.
41 On 1 February 2022, before being notified of that action, the Agency erased of its own motion OL’s identification number, the data relating to her identity card and her address, but not her surname, first name and signature.
42 By judgment of 5 May 2022, the Administrativen sad Dobrich (Administrative Court, Dobrich) annulled the letter of 26 January 2022 and ordered the Agency to pay compensation to OL in the amount of 500 Bulgarian leva (BGN) (approximately EUR 255), together with statutory interest, in respect of non-material damage suffered, pursuant to Article 82 of the GDPR. According to that judgment, first, that damage consisted in psychological and emotional suffering by OL, namely fear of, and concern over, possible abuse, as well as the sense of powerlessness and disappointment that her personal data could not be protected. Second, that damage stemmed from that letter, which had led to an infringement of the right to erasure enshrined in Article 17(1) of the GDPR and the unlawful processing of her data contained in the constitutive instrument concerned which was made available to the public.
43 The Agency brought an appeal on a point of law against that judgment before the referring court, the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria).
44 According to that court, the Agency claims that it is not only a controller but also a recipient of the personal data transmitted in the registration procedure of ‘Praven Shtit Konsulting’. Furthermore, the Agency did not receive any copy of the constitutive instrument concerned in which OL’s personal data which were not to be made available to the public were redacted, even though it had made a request to that effect before that company was entered in the commercial register. The absence of such a copy cannot, in itself, prevent a commercial company from being entered in that register. That follows from opinion No 01-116(20)/01.02.2021 of the national supervisory authority, the Komisia za zashtita na lichnite danni (Commission for the Protection of Personal Data, Bulgaria), submitted pursuant to Article 58(3)(b) of the GDPR, to which the Agency refers. That court notes that, according to OL, the Agency, as controller, cannot impose on other persons its obligations to erase personal data since, according to national case-law, that opinion does not comply with the provisions of the GDPR.
45 The referring court adds that, in the light of that main line of national case-law, a clarification of the requirements resulting from that regulation appears necessary. In particular, that court raises the question of the balancing exercise that must be carried out between, on the one hand, the right to protection of personal data and, on the other, the legislation guaranteeing disclosure and access to certain company documents, stating, in particular, that the judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197), does not resolve the difficulties of interpretation raised by the situation at issue in the main proceedings.
46 In those circumstances, the Varhoven administrativen sad (Supreme Administrative Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) May Article 4(2) of [Directive 2009/101] be interpreted as meaning that it imposes an obligation on the Member State to permit the disclosure of [a company’s constitutive instrument], which is subject to registration under Article 119 of [the Commercial Code], in the case where that instrument contains not only the names of the members of the company, which are subject to compulsory disclosure under Article 2(2) of [the Law on the registers], but also other personal data [relating to them]? When answering this question, it is important to take into account that the [Agency] is a public sector body against which the directly effective provisions of [a] directive may be relied on, in accordance with the settled case-law of the Court of Justice (judgment of 7 September 2006, Vassallo, С-180/04, EU:C:2006:518, paragraph 26 and the case-law cited).
(2) If the first question is answered in the affirmative, may it be assumed that, in the circumstances which gave rise to the dispute in the main proceedings, the processing of personal [data] by the [Agency] is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of Article 6(1)(e) of [the GDPR]?
(3) If the first two questions are answered in the affirmative, may a national provision such as that contained in Article 13(9) of [the Law on the registers], in accordance with which, in the event that personal data not required by law are contained in an application [for registration] or in the documents annexed thereto, it must be assumed that the persons who made those data available consented to the processing thereof by the [Agency] and to the provision of public access thereto, be regarded as permissible, notwithstanding recitals 32, 40, 42, 43 and 50 of [the GDPR], as a clarification of the possibility of “voluntary disclosure”, within the meaning of Article 4(2) of [Directive 2009/101], even of personal data?
(4) Is it permissible for provisions of national law intended to give effect to the obligation laid down in Article 3(7) of Directive [2009/101], whereby Member States are to take the necessary measures to avoid any discrepancy between what is disclosed in accordance with [Article 3(5) of that directive] and what appears in the register or file, and to take into account the interests of third parties in being acquainted with the essential documents of the company and certain information concerning the company, as referred to in recital 3 of that directive, to prescribe a procedure (application forms, submission of copies of documents in which personal data have been redacted) for exercising the right of natural persons under Article 17 of [the GDPR] to obtain from the controller the erasure of personal data concerning him or her without undue delay, in the case where the personal data the erasure of which is sought are part of publicly disclosed (notified) documents which were made available to the controller, in accordance with a similar procedure, by another person who, in so doing, also determined the purpose of the processing initiated by him or her?
(5) In the situation underlying the dispute in the main proceedings, does the [Agency] act only as controller in relation to the personal data or is it also the recipient thereof, in the case where the purposes of processing those data were determined by another controller as part of the documents that were submitted for disclosure?
(6) Does the handwritten signature of a natural person constitute information relating to an identified natural person, in the sense that it is covered by the term “personal data” within the meaning of Article 4(1) of [the GDPR]?
(7) Is the concept of “non-material damage” in Article 82(1) of [the GDPR] to be interpreted as meaning that the assumption of non-material damage requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or is the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data in the commercial register, which did not have any noticeable or adverse consequences for the data subject, sufficient for that purpose?
(8) May opinion No 01-116(20)/01.02.2021, issued by the national supervisory authority, the [Commission for the Protection of Personal Data], in accordance with Article 58(3)(b) of [the GDPR], to the effect that the [Agency] does not have the option or power in law to restrict of its own motion or at the request of the data subject the processing of data which have already been disclosed, permissibly be regarded as proof, for the purposes of Article 82(3) [of the GDPR], that the [Agency] is in no way responsible for the circumstance which gave rise to the damage suffered by the natural person?’
Consideration of the questions referred
Preliminary observations
47 As a preliminary point, it should be noted that the questions referred concern the interpretation of both the GDPR and Directive 2009/101, which was codified and replaced by Directive 2017/1132, applicable ratione temporis to the facts at issue in the main proceedings. Consequently, the request for a preliminary ruling must be interpreted as seeking an interpretation of Directive 2017/1132.
48 Furthermore, as the Advocate General observed in point 15 of her Opinion, since some of those facts are subsequent to 1 August 2021, the date on which the transposition period of Directive 2019/1151 – set out in Article 2(1) of that directive – expired, it is for the referring court to ascertain whether those facts fall within the scope ratione temporis of Directive 2017/1132 or of Directive 2017/1132, as amended by Directive 2019/1151.
49 That being so, it should be noted that the amendments to the wording of Articles 16 and 161 of Directive 2017/1132 and the addition of Article 16a to that directive introduced by Directive 2019/1151 have no bearing on the analysis which the Court is called upon to carry out in the present case, with the result that the answers to be given in the present judgment will, in any event, be relevant.
The first question
50 By its first question, the referring court asks, in essence, whether Article 21(2) of Directive 2017/1132 must be interpreted as imposing on a Member State an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data other than the minimum personal data required, disclosure of which is not required by the law of that Member State.
51 In particular, that court is uncertain as to the scope of the voluntary disclosure referred to in that provision and seeks to determine whether that provision requires Member States to permit the disclosure of information contained in the constitutive instruments of companies, such as personal data, which they have not required for the purposes of compulsory disclosure under that directive.
52 Under the first subparagraph of Article 21(2) of Directive 2017/1132, ‘in addition to the compulsory disclosure referred to in Article 16 [of that directive], Member States shall allow translations of documents and particulars referred to in Article 14 [of that directive] to be disclosed voluntarily in accordance with Article 16 [thereof] in any official language(s) of the Union’. The second subparagraph of Article 21(2) authorises Member States to prescribe that ‘the translation of such documents and particulars’ be certified. Last, the third subparagraph of Article 21(2) concerns the measures necessary to facilitate access to the ‘translations’ voluntarily disclosed.
53 Article 14 of Directive 2017/1132 for its part lists the documents and particulars which the companies concerned must, as a minimum, disclose. Those documents and particulars must, in accordance with Article 16(3) to (5) of that directive, be kept in the file or entered in the register, be accessible by obtaining a full or partial copy on request, and be disclosed by publication either of the full text or of a partial text, or by means of a reference, in the national gazette, or by an equally effective means.
54 In that regard, having regard in particular to the repeated use of the term ‘translations’ in Article 21(2) of Directive 2017/1132, it is apparent from the wording of that provision that it concerns the voluntary disclosure of translations of the documents and particulars referred to in Article 14 of that directive into an official language of the European Union and, therefore, only the language of in which those documents and particulars are published. By contrast, that provision does not refer to the content of those documents and particulars.
55 Therefore, that wording tends to indicate that Article 21(2) cannot be interpreted as imposing on Member States any obligation relating to the disclosure of personal data which are not required to be disclosed either by other provisions of EU law or by the law of the Member State concerned, but which appear in a document subject to compulsory disclosure under that directive.
56 Where the meaning of a provision of EU law is absolutely plain from its very wording, the Court cannot depart from that interpretation (judgment of 25 January 2022, VYSOČINA WIND, C‑181/20, EU:C:2022:51, paragraph 39).
57 In any event, as regards the context of Article 21(2) of Directive 2017/1132, the title of that article, which refers to the ‘Language of disclosure and translation of documents and particulars to be disclosed’, as well as the other paragraphs of that article, support the interpretation referred to in paragraph 55 of this judgment.
58 Article 21(1) of Directive 2017/1132 provides that ‘documents and particulars to be disclosed pursuant to Article 14 [of that directive] shall be drawn up and filed in one of the languages permitted’ by the applicable national rules. Article 21(3) of that directive provides that, in addition to the compulsory disclosure referred to in Article 16 thereof and the voluntary disclosure provided for in Article 21(2) of that directive, Member States may allow the documents and particulars concerned to be disclosed ‘in any other language(s)’. As for Article 21(4), it refers to a ‘translation voluntarily disclosed’.
59 Last, the interpretation referred to in paragraph 55 of this judgment is confirmed by recital 12 thereof, according to which cross-border access to company information should be facilitated by allowing, in addition to compulsory disclosure made in one of the languages permitted in the company’s Member State, the voluntary registration in additional languages of the required documents and particulars.
60 In the light of the foregoing, the answer to the first question is that Article 21(2) of Directive 2017/1132 must be interpreted as not imposing on a Member State an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data, other than the minimum personal data required, disclosure of which is not required by the law of that Member State.
The second and third questions
61 In the light of the answer given to the first question, there is no need to answer the second and third questions, which are asked only in the event that the first question is answered in the affirmative.
The fifth question
62 By its fifth question, which it is appropriate to examine before the fourth question, the referring court asks, in essence, whether the GDPR, in particular Article 4(7) and (9) thereof, must be interpreted as meaning that the authority responsible for maintaining the commercial register of a Member State which publishes, in that register, personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and a ‘controller’ of those data, within the meaning of that provision.
63 At the outset, it should be recalled that, in accordance with Article 161 of Directive 2017/1132, the processing of personal data carried out in the context of that directive is subject to Directive 95/46 and, therefore, to the GDPR, Article 94(2) of which states that references to the latter directive are to be construed as references to that regulation.
64 In that regard, it must first be pointed out that, under Article 14(1)(a), (b) and (d) of Directive 2017/1132, Member States must take the measures necessary to ensure the compulsory disclosure by companies of at least the instrument of constitution of the company concerned, the amendments thereto, the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law, or as members of any such body, are authorised to represent the company in dealings with third parties and in legal proceedings, or take part in the administration, supervision or control of that company. In addition, under Article 4(i) of that directive, the compulsory information to be provided in the instrument of incorporation disclosed includes the identity of the natural or legal persons or companies or firms by which or in whose name that document has been signed.
65 Pursuant to Article 16(3) to (5) of that directive, as stated in paragraph 53 of this judgment, those documents and particulars must be kept in the file or entered in the register, be accessible by obtaining a full or partial copy on request, and be disclosed by publication either of the full text or of a partial text, or by means of a reference, in the national gazette, or by an equally effective means.
66 As the Advocate General observed in point 26 of her Opinion, it is therefore for the Member States to determine, inter alia, which categories of information concerning the identity of the persons referred to in Article 4(i) and Article 14(d) of that directive, in particular, which kind of personal data, are to be subject to compulsory disclosure, in accordance with EU law.
67 The information relating to the identity of those persons constitutes, as information relating to identified or identifiable natural persons, ‘personal data’ within the meaning of Article 4(1) of the GDPR (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 34).
68 The same is true of the additional information relating to the identity of those persons or of other categories of persons whichthe Member States decide to subject to compulsory disclosure, or which, as in the present case, are included in the documents subject to such disclosure, without those data being required to be made available by Directive 2017/1132 or by the national law implementing that directive.
69 Next, as regards the concept of ‘recipient’ within the meaning of Article 4(9) of the GDPR, it refers to ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not’, that provision specifying that public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU law or the law of a Member State are not covered by that definition.
70 By receiving, in the context of an application for registration of a company in the commercial register of a Member State, the documents subject to compulsory disclosure referred to in Article 14 of Directive 2017/1132 containing personal data, whether or not they are required by that directive or by national law, the authority responsible for maintaining that register has the status of ‘recipient’ of those data within the meaning of Article 4(9) of the GDPR.
71 Last, under Article 4(7) of the GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for its nomination may be provided for by EU law or the law of a Member State.
72 In that regard, it should be borne in mind that, according to the case-law of the Court, that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 28 and the case-law cited).
73 Having regard to the wording of Article 4(7) of the GDPR, read in the light of that objective, it appears that, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by EU law or by national law. Where such a determination is made by national law, it must then be ascertained whether that law nominates the controller or lays down the specific criteria applicable to its nomination (see, to that effect, judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 29).
74 It must also be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30).
75 In addition, by transcribing and storing personal data received in connection with an application for registration of a company in the commercial register of a Member State, by disclosing those data, where appropriate, on request to third parties and publishing them in the national gazette, or by an equally effective means, the authority responsible for maintaining that register carries out processing of personal data for which it is the ‘controller’, within the meaning of Article 4(2) and (7) of the GDPR (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 35).
76 Those kinds of processing of personal data are distinct from and subsequent to the disclosure of personal data carried out by the applicant for that registration and received by that authority. In addition, that authority carries out those kinds of processing alone, in accordance with the purposes and procedures laid down by Directive 2017/1132 and by the legislation of the Member State concerned implementing that directive.
77 In that regard, it is apparent from recitals 7 and 8 of that directive that the purpose of the disclosure provided for by that directive is to protect in particular the interests of third parties in relation to joint stock companies and limited liability companies, since the only safeguards they offer to third parties are their assets. To that end, the basic documents of a company should be disclosed in order for third parties to be able to ascertain their contents and other information concerning the company, especially particulars of the persons who are authorised to bind the company.
78 Furthermore, the purpose of that directive is to guarantee legal certainty in relation to dealings between companies and third parties in view of the intensification of trade between Member States following the creation of the internal market. With that in mind, it is important that any person wishing to establish and develop trading relations with companies situated in other Member States should be able easily to obtain essential information relating to the constitution of trading companies and to the powers of persons authorised to represent them, which requires that all the relevant information should be expressly included in the register (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 50).
79 As the Advocate General observed in point 39 of her Opinion, by transmitting to the authority responsible for maintaining the commercial register of a Member State the documents and particulars which are subject to compulsory disclosure under Directive 2017/1132, and by thus processing the personal data which those documents contain, the applicant for registration of a company in the commercial register has no influence on the determination of the subsequent purposes and processing carried out by that authority. In addition, that applicant pursues different purposes which are his or her own, namely fulfilling the formalities necessary for that registration.
80 In the present case, as the Advocate General noted in points 31 and 32 of thatOpinion, it is apparent from the request for a preliminary ruling that the making available to the public of OL’s personal data occurred in the exercise of the powers vested in the Agency as the authority responsible for maintaining the register, the purposes and means of processing those data being determined both by EU law and by the national legislation at issue in the main proceedings, in particular by Article 13(9) of the Law on the registers. Thus, the fact that an authenticated copy of the constitutive instrument concerned, in which the personal data not required by that legislation were redacted, was not sent, contrary to the procedural rules laid down by that legislation, has no bearing on the classification of the Agency as a ‘controller of that processing’.
81 That classification is also not called into question by the fact that the Agency does not review, under that legislation, before they are made available online, the personal data contained in the electronic images or originals of documents which are transmitted to it for the purposes of the registration of a company. In that regard, the Court has already held that it would be contrary to the objective of Article 4(7) of the GDPR, referred to in paragraph 72 of the present judgment, to exclude the Official Journal of a Member State from the concept of ‘controller’ on the ground that it does not review the personal data contained in its publications (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 38).
82 In those circumstances, it appears that, in a situation such as that at issue in the main proceedings, the Agency is the controller of OL’s personal data, the processing of which consists of making those data available, online, to the public, even if a copy of the constitutive instrument concerned, in which the personal data not required by the national legislation at issue in the main proceedings were redacted, should have been transmitted to it, pursuant to that legislation, which it is for the referring court to ascertain. Accordingly, the Agency is also responsible, under Article 5(2) of the GDPR, for compliance with paragraph 1 of that article.
83 In the light of the foregoing, the answer to the fifth question is that the GDPR, in particular Article 4(7) and (9) thereof, must be interpreted as meaning that the authority responsible for maintaining the commercial register of a Member State which publishes, in that register, the personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and, particularly in so far as it makes them available to the public, a ‘controller’ of those data, within the meaning of that provision, even where that instrument contains personal data not required by that directive or by the law of that Member State.
The fourth question
Admissibility
84 The Bulgarian Government submits that the fourth question is inadmissible since it raises a hypothetical problem. According to that government, that question concerns the compatibility with Article 16 of Directive 2017/1132 of national legislation – which has not yet been adopted – laying down detailed procedural rules for the exercise of the right referred to in Article 17 of the GDPR.
85 In accordance with settled case-law, the procedure for referring questions for a preliminary ruling under Article 267 TFEU establishes a relationship of close cooperation between the national courts and the Court of Justice based on the assignment to each of different functions and constitutes an instrument by means of which the Court provides the national courts with the criteria for the interpretation of EU law which they need in order to dispose of disputes which they are called upon to resolve. In the context of that cooperation, it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine in the light of the particular circumstances of the case both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. Consequently, where the questions submitted concern the interpretation of EU law, the Court is in principle required to give a ruling (judgment of 23 November 2021, IS (Illegality of the order for reference), C‑564/19, EU:C:2021:949, paragraphs 59 and 60 and the case-law cited).
86 It follows that questions relating to EU law enjoy a presumption of relevance. The Court may refuse to rule on a question referred by a national court for a preliminary ruling only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgment of 24 November 2020, Openbaar Ministerie (Forgery of documents), C‑510/19, EU:C:2020:953, paragraph 26 and the case-law cited).
87 In the present case, it is apparent from the request for a preliminary ruling that the referring court is called upon to adjudicate, at last instance, on the lawfulness of the Agency’s refusal to grant the request for erasure of personal data at issue in the main proceedings, on the ground that a copy of the constitutive instrument concerned, in which the personal data not required by Bulgarian legislation were redacted, had not been provided to the Agency, contrary to the procedural rules laid down by that legislation. Furthermore, it follows from that request that such a refusal is consistent with the practices of the Agency. Last, that court stated that an answer from the Court to the fourth question was necessary for the resolution of the dispute in the main proceedings, in a context in which national case-law is not consistent.
88 It follows that, contrary to what the Bulgarian Government maintains, the fourth question is admissible.
Substance
89 In the light of the information set out in the request for a preliminary ruling, as set out in paragraph 87 of the present judgment, it must be held that, by its fourth question, the referring court asks, in essence, whether Directive 2017/1132, in particular Article 16 thereof, and Article 17 of the GDPR must be interpreted as precluding legislation or a practice of a Member State which leads the authority responsible for maintaining the commercial register of that Member State to refuse any request for erasure of personal data, not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument published in that register, where a copy of that instrument in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation.
90 In accordance with Article 17(1) of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase those personal data without undue delay where one of the grounds set out in that provision applies.
91 That is the case, according to Article 17(1)(c), where the data subject objects to processing pursuant to Article 21(1) of that regulation and there are no ‘overriding legitimate grounds for the processing’ or, in accordance with Article 17(1)(d), where the data in question have been ‘unlawfully processed’.
92 It also follows from Article 17(3)(b) of the GDPR that Article 17(1) thereof does not apply where the processing is necessary for compliance with a legal obligation which requires processing by EU law or the law of a Member State to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
93 Therefore, in order to determine whether, in a situation such as that at issue in the main proceedings, the data subject has a right to erasure under Article 17 of the GDPR, it is necessary, in the first instance, to examine the ground or grounds for lawfulness under which the processing of his or her personal data may fall.
94 In that regard, it should be recalled that the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as being lawful. Thus, in order that it may be regarded as lawful, processing must fall within one of the cases provided for in Article 6 (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 99 and the case-law cited).
95 In the absence of the data subject’s consent to the processing of his or her personal data pursuant to point (a) of the first subparagraph of Article 6(1), or where that consent is not freely given, specific, informed and unambiguous, within the meaning of Article 4(11) of the GDPR, such processing may nevertheless be justified where it meets one of the requirements of necessity mentioned in points (b) to (f) of the first subparagraph of Article 6(1) of that regulation (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 92).
96 In that context, the justifications provided for in that latter provision, in so far as they allow the processing of personal data carried out in the absence of the data subject’s consent to be made lawful, must be interpreted restrictively (judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 93 and the case-law cited).
97 It should also be noted that, in accordance with Article 5 of the GDPR, the controller bears the burden of proving that those data are collected, inter alia, for specified, explicit and legitimate purposes, that they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and that they are processed lawfully, fairly and in a transparent manner in relation to the data subject (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 95).
98 Although it is for the referring court to determine whether the various elements of the processing such as that at issue in the main proceedings are justified by one or other of the necessity requirements referred to in points (a) to (f) of the first subparagraph of Article 6(1) of the GDPR, the Court can nevertheless provide it with useful guidance to enable it to resolve the dispute before it (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 96).
99 In the present case, first of all, as noted by the Advocate General in point 43 of her Opinion, the presumption of consent established in Article 13(9) of the Law on the registers does not appear to satisfy the conditions required by point (a) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 4(11) of that regulation.
100 As is apparent from recitals 32, 42 and 43 of that regulation, consent should be given by a clear affirmative act, for example by a written statement or an oral statement, without being regarded as having been freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Furthermore, consent should not provide a valid legal ground in a specific case where there is a clear imbalance between the data subject and the controller, in particular where that controller is a public authority.
101 Therefore, a presumption such as that laid down in Article 13(9) of the Law on the registers cannot be regarded as establishing freely given, specific, informed and unambiguous consent to the processing of personal data by a public authority such as the Agency.
102 Next, the grounds for lawfulness laid down in points (b) and (d) of the first subparagraph of Article 6(1), relating to the processing of personal data necessary for the performance of a contract and the protection of the vital interests of a natural person, respectively, do not appear to be relevant to the processing of personal data at issue in the main proceedings. The same is true of the ground for lawfulness laid down in point (f) of the first subparagraph of Article 6(1), relating to the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller, since it is clear from the wording of the second subparagraph of Article 6(1) that the processing of personal data carried out by a public authority in the performance of its tasks cannot come within the scope of that latter ground (see, to that effect, judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C‑180/21, EU:C:2022:967, paragraph 85).
103 Last, as regards the grounds for lawfulness set out in points (c) and (e) of the first subparagraph of Article 6(1) of the GDPR, it must be recalled that, under point (c) of the first subparagraph of Article 6(1), processing of personal data is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. In addition, in accordance with point (e) of the first subparagraph of Article 6(1), processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is also lawful.
104 Article 6(3) of the GDPR specifies, inter alia, in respect of those two situations in which processing is lawful, that the processing must be based on EU law or Member State law to which the controller is subject, and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued.
105 Concerning, in the first place, the question whether the processing at issue in the main proceedings is necessary for compliance with a legal obligation arising from EU law or Member State law to which the controller is subject, for the purposes of point (c) of the first subparagraph of Article 6(1) of the GDPR, it should be noted, as the Advocate General observed in points 45 and 47 of her Opinion, that Directive 2017/1132 does not require the systematic processing of all personal data contained in an act subject to compulsory disclosure under that directive. On the contrary, it follows from Article 161 of that directive that the processing of personal data carried out in the context of Directive 2017/1132 and, in particular, any collection, storage, making available to third parties and publication of information under that directive must fully satisfy the requirements arising from the GDPR.
106 It is thus for the Member States, in the context of the implementation of the obligations imposed by that directive, to ensure that the objectives of legal certainty and protection of the interests of third parties pursued by that directive and recalled in paragraph 77 of the present judgment, are reconciled with the rights enshrined in the GDPR and the fundamental right to the protection of personal data, by striking a fair balance between those objectives and those rights (see, to that effect, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 98).
107 Therefore, it cannot be held that the making available to the public, online, in the commercial register, of personal data not required by Directive 2017/1132 or by the national legislation at issue in the main proceedings contained in a company’s constitutive instrument subject to compulsory disclosure under that directive and transmitted to the Agency is justified by the requirement to ensure disclosure of the documents referred to in Article 14 of that directive in accordance with Article 16 thereof and, that, therefore, that making available is the result of a legal obligation laid down by EU law.
108 Nor does the lawfulness of the processing at issue in the main proceedings appear – subject to verification by the referring court – to be based on a legal obligation laid down by Member State law to which the controller is subject within the meaning of point (c) of the first subparagraph of Article 6(1) of the GDPR, in this instance Bulgarian law, in so far as, first, it is apparent from the file before the Court that Article 2(2) of the Law on the registers provides that acts that must be included in the commercial register are to be made available to the public free of information which constitutes personal data, ‘with the exception of information which must be made available to the public under the law’ and where, second, Article 13(9) of that law establishes a presumption of consent which, as is apparent from paragraph 99 of the present judgment, does not meet the requirements of the GDPR.
109 As regards, in the second place, the question whether the processing at issue in the main proceedings is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of point (e) of the first subparagraph of Article 6(1) of the GDPR, to which reference is made, in particular, by the referring court, the Bulgarian Government and the Agency, the Court has already held that the activity of a public authority consisting in safeguarding, in a database, data which companies are required to communicate on the basis of legal obligations, permitting interested persons to consult those data and providing them with copies thereof, falls within the exercise of public powers and constitutes a task carried out in the public interest within the meaning of that provision (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 43).
110 It follows that the processing at issue in the main proceedings appears, admittedly, to be carried out in connection with a task carried out in the public interest within the meaning of that provision. However, in order to satisfy the conditions imposed by that provision, it is necessary that that processing genuinely meets the objectives of general interest pursued, without going beyond what is necessary in order to achieve those objectives (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 109).
111 That requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed in Articles 7 and 8 of the Charter, since derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 110 and the case-law cited).
112 As the Advocate General observed in point 51 of her Opinion, the making available to the public, online, of personal data which are not required either by Directive 2017/1132 or by national law cannot be regarded in itself as being necessary in order to achieve the objectives pursued by that directive.
113 In particular, as regards the existence of means which are less detrimental to the fundamental rights of the data subjects, it should be noted that the national legislation at issue in the main proceedings provides that an applicant for registration of a company in the commercial register is required to provide a copy of the constitutive instrument of that company – in which personal data not required have been redacted – intended for publication in that register and accessible to third parties; that copy, in the present case, has never been provided to the Agency, even after it made a request to that effect. Nevertheless, the Bulgarian Government and the Agency have confirmed that, even after a reasonable period of time has elapsed and where the data subject is unable to obtain such a copy from the company concerned or its representatives, that legislation does not provide that the Agency may draw up that copy itself, which would, however, make it possible to achieve just as effectively the objectives of guaranteeing disclosure of company documents, legal certainty and the protection of the interests of third parties, while being less detrimental to the right to protection of personal data.
114 It should also be noted, as the Advocate General observed in point 56 of her Opinion, that, contrary to what has been argued by several Member States in their observations before the Court, the requirement to preserve the integrity and reliability of company documents – subject to compulsory disclosure under Directive 2017/1132 – which requires the publication of those documents in the form in which they were sent to the authorities responsible for maintaining the commercial register, cannot systematically prevail over that right, if it is not to render that protection purely illusory.
115 In particular, that requirement cannot impose that personal data not required by Directive 2017/1132 or by national law remain available to the public, online, in that register when, as is apparent from paragraph 113 of the present judgment, the Agency could itself draw up the copy of the instrument of the company concerned, provided for by that law, with a view to making it available.
116 It follows that the processing of personal data at issue in the main proceedings appears, in any event, to go beyond what is necessary for the performance of the task carried out in the public interest conferred on the Agency under that national legislation.
117 Consequently, as the Advocate General observed in point 59 of her Opinion, subject to the verifications which it is for the referring court to carry out, such processing also does not appear to satisfy the conditions of lawfulness laid down in points (c) and (e) of the first subparagraph of Article 6(1), read in conjunction with Article 6(3) of the GDPR.
118 In the second instance, as regards the request for erasure under Article 17 of the GDPR at issue in the main proceedings, it should be noted that, if the referring court were to conclude, following its assessment of the lawfulness of that processing, that that processing is not lawful, according to the clear wording of Article 17(1)(d) of the GDPR, it would be for the Agency, as controller – as is apparent from paragraphs 82 and 83 of the present judgment – to erase the data concerned without undue delay (see, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 108).
119 If, on the other hand, that court were to conclude that that processing does satisfy the ground for lawfulness laid down in point (e) of the first subparagraph of Article 6(1) of the GDPR, in particular in so far as the making available to the public, online, in the commercial register of data not required by Directive 2017/1132 or by the national legislation at issue in the main proceedings was necessary in order to avoid delaying the registration of the company concerned, in the interest of the protection of third parties, it should be noted that Article 17(1)(c) of the GDPR would apply.
120 It follows from that latter provision, read in conjunction with Article 21(1) of the GDPR, that the data subject enjoys a right to object to processing and a right to erasure, unless there are overriding legitimate grounds which take precedence over the interests and rights and freedoms of that person within the meaning of Article 21(1) of the GDPR, which it is for the controller to demonstrate (see, to that effect, judgment of 7 December 2023, SCHUFA Holding (Release of outstanding debt), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 111).
121 In a situation such as that at issue in the main proceedings, there does not appear to be any overriding legitimate ground, within the meaning of that provision, capable of precluding such a request for erasure.
122 First, it is apparent from the order for reference that the company of which OL is a member is already registered in the commercial register.
123 Second, as has been noted in paragraph 115 of the present judgment, the requirement to preserve the integrity and reliability of company documents subject to compulsory disclosure under Directive 2017/1132 cannot impose that personal data not required by Directive 2017/1132 or by national law be kept available to the public, online, in that register.
124 Last, assuming that the referring court comes to the conclusion that the processing of the personal data at issue in the main proceedings does satisfies the ground for lawfulness laid down in point (c) of the first subparagraph of Article 6(1) of the GDPR, it should be noted that the GDPR, and in particular Article 17(3)(b) thereof, expressly lays down the requirement to strike a balance between, on the one hand, the fundamental rights to respect for private life and to the protection of personal data, enshrined in Articles 7 and 8 of the Charter, and, on the other hand, the objectives legitimately pursued by EU law or the law of the Member States forming the basis of the legal obligation in respect of which processing is necessary to ensure compliance therewith (see, by analogy, judgment of 8 December 2022, Google (De-referencing of allegedly inaccurate content), C‑460/20, EU:C:2022:962, paragraph 58 and the case-law cited).
125 As the Court has already held, limiting access to personal data which is made subject to mandatory disclosure by EU law only to third parties who demonstrate a specific interest may, on a case-by-case basis, be justified on compelling legitimate grounds relating to the particular situation of the data subjects (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 60).
126 As the Advocate General observed in point 67 of her Opinion, the same must apply, a fortiori, where, as in the present case, the personal data concerned are not required either by Directive 2017/1132 or by national law.
127 In the light of those factors, the answer to the fourth question is that Directive 2017/1132, in particular Article 16 thereof, and Article 17 of the GDPR must be interpreted as precluding a Member State’s legislation or practice which leads the authority responsible for maintaining the commercial register of that Member State to refuse any request for erasure of personal data not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument published in that register, where a copy of that instrument in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation.
The sixth question
128 By its sixth question, the referring court asks, in essence, whether Article 4(1) of the GDPR must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’ within the meaning of that provision.
129 That provision lays down that personal data means ‘any information relating to an identified or identifiable natural person’ and specifies that ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
130 In that connection, the Court has already held that the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 23).
131 Information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 24).
132 As regards the ‘identifiable’ nature of a natural person, recital 26 of the GDPR states that account should be taken of ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.
133 It follows that the broad definition of the concept of ‘personal data’ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 26).
134 It also follows from the case-law of the Court that the handwriting of a natural person provides information relating to that person (see, to that effect, judgment of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 37).
135 Last, it should be noted that the handwritten signature of a natural person is, in general, used to identify that person, in order to confer evidential value, concerning their accuracy and sincerity, on the documents to which it is affixed or to take responsibility for them. Furthermore, it appears that, in the constitutive instrument concerned, the members’ signature accompanies their names.
136 In the light of the foregoing, the answer to the sixth question is that Article 4(1) of the GDPR must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’ within the meaning of that provision.
The seventh question
137 By its seventh question, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’ or whether that concept of ‘non-material damage’ requires that the existence of additional tangible adverse consequences be demonstrated.
138 As a preliminary point, it should be recalled that that provision states that ‘any person who has suffered material or non-material damage as a result of an infringement of [the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered’.
139 In that regard, since the GDPR makes no reference to the law of the Member States so far as concerns the meaning and scope of the terms in that provision, in particular as regards the concepts of ‘material or non-material damage’ and of ‘compensation for the damage suffered’, those terms must be regarded, for the purposes of the application of that regulation, as constituting autonomous concepts of EU law which must be interpreted in a uniform manner in all of the Member States. (see, to that effect, judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 30).
140 For that purpose, Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of that regulation is not sufficient to confer a right to compensation, since the existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Article 82(1), as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative (judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 32, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 34).
141 Thus, a person seeking compensation for non-material damage on the basis of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her such damage. Such damage cannot therefore be presumed merely on the basis that that infringement took place (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 42 and 50, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 35).
142 In particular, a person concerned by an infringement of the GDPR which has had negative consequences for him or her is required to demonstrate that those consequences constitute non-material damage, within the meaning of Article 82 of that regulation, since the mere infringement of the provisions thereof is not sufficient to confer a right to compensation (judgment of 25 January 2024, MediaMarktSaturn, C‑687/21, EU:C:2024:72, paragraph 60 and the case-law cited).
143 Therefore, where a person claiming compensation on the basis of Article 82(1) of the GDPR relies on the fear that his or her personal data will be misused in the future owing to the existence of such an infringement, the national court seised must verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject (judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 85).
144 That being said, the Court has already held that it is apparent not only from the wording of Article 82(1) of the GDPR, read in the light of recitals 85 and 146 thereof – which encourage the acceptance of a broad interpretation of the concept of ‘non-material damage’, within the meaning of that first provision – but also from the objective of ensuring a high level of protection of natural persons with regard to the processing of their personal data – which is referred to by the regulation – that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of Article 82(1) (judgment of 20 June 2024, PS (Incorrect address), C‑590/22, EU:C:2024:536, paragraphs 32 and the case-law cited).
145 In particular, it is apparent from the illustrative list of types of ‘damage’ that may be suffered by data subjects, set out in the first sentence of recital 85 of the GDPR, that the EU legislature intended to include in the concept of ‘damage’ that may be suffered by data subjects, inter alia, the mere ‘loss of control’ over their own personal data, as a result of an infringement of that regulation, even if there had been no actual misuse of the data in question (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 82).
146 Furthermore, an interpretation of Article 82(1) of the GDPR to the effect that the concept of ‘non-material damage’, within the meaning of that provision, does not include situations in which a data subject relies solely on the fear that his or her personal data will be misused by third parties, in the future, would not be consistent with the guarantee of a high level of protection of natural persons with regard to the processing of personal data within the European Union, which is the aim of that regulation (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 83).
147 Similarly, that concept cannot be limited solely to damage of a certain degree of seriousness, in particular as regards the duration of the period during which the negative consequences of the infringement of that regulation were suffered by the data subjects (see, to that effect, judgment of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraphs 16 and 19 and the case-law cited).
148 Accordingly, it cannot be considered that, in addition to the three conditions set out in paragraph 140 of the present judgment, other conditions for establishing liability laid down in Article 82(1) of the GDPR, such as the tangible nature of the damage or the objective nature of the infringement, may be added (judgment of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 17).
149 Nor does that provision require that, following a proven infringement of provisions of that regulation, the ‘non-material damage’ alleged by the data subject must reach a ‘de minimis threshold’ in order that such damage may be redressed (judgment of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 18).
150 Consequently, although there is nothing to preclude the publication on the internet of personal data and the consequent loss of control over those data for a short period of time from causing the data subjects ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, those persons must also demonstrate that they have actually suffered such damage, however minimal (see, to that effect, judgments of 14 December 2023, Gemeinde Ummendorf, C‑456/22, EU:C:2023:988, paragraph 22, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 42).
151 Last, it must be stated that, when determining the amount of damages due in respect of the right to compensation for non-material damage, non-material damage caused by a personal data breach is not, by its nature, less significant than physical injury (judgment of 20 June 2024, Scalable Capital, C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 39).
152 Moreover, where a person succeeds in demonstrating that the infringement of the GDPR has caused him or her damage within the meaning of Article 82 of that regulation, the criteria for assessing the compensation due in the context of actions intended to safeguard the rights which individuals derive from that article must be prescribed within the legal system of each Member State, provided that such compensation is full and effective (see, to that effect, judgment of 20 June 2024, Scalable Capital, C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 43).
153 In that regard, the right to compensation laid down in Article 82(1), in particular in the case of non-material damage, fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a deterrent or punitive function (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraphs 57 and 58, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 61).
154 Furthermore, first, establishing the liability of the controller under Article 82 of the GDPR is subject to fault on the part of the controller, which is presupposed unless the controller proves that it is not in any way responsible for the event giving rise to the damage and, second, Article 82 does not require the degree of seriousness of that fault to be taken into account when determining the amount of damages awarded as compensation for non-material damage on the basis of that article (judgments of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraph 103, and of 25 January 2024, MediaMarktSaturn, C‑687/21, EU:C:2024:72, paragraph 52).
155 In the present case, as noted in paragraph 42 of the present judgment, the referring court stated that the Administrativen sad Dobrich (Administrative Court, Dobrich) had found the existence of non-material damage consisting in psychological and emotional suffering by OL, namely fear of, and concern over, possible abuse, as well as the sense of powerlessness and disappointment that her personal data could not be protected. It also held that that damage stems from the Agency’s letter of 26 January 2022, which led to an infringement of the right to erasure enshrined in Article 17(1) of the GDPR and the unlawful processing of her personal data contained in the constitutive instrument concerned made available to the public.
156 In the light of the foregoing considerations, the answer to the seventh question is that Article 82(1) of the GDPR must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated.
The eighth question
157 By its eighth question, the referring court asks, in essence, whether Article 82(3) of the GDPR must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation.
158 In the first place, as regards the rules on liability provided for in Article 82 of the GDPR, it should be recalled that that article provides, in paragraph 1 thereof, that any person who has suffered material or non-material damage as a result of an infringement of that regulation is to have the right to receive compensation from the controller or processor for the damage suffered. As is apparent from paragraph 140 of the present judgment, that right to compensation is subject to three cumulative conditions being satisfied.
159 In accordance with the first sentence of Article 82(2) of that regulation, any controller involved in processing is to be liable for the damage caused by processing which infringes that regulation. That provision, which specifies the rules on liability – the principle of which is established in paragraph 1 of that article – reproduces the three conditions necessary to give rise to the right to compensation, namely processing of personal data that infringes the provisions of the GDPR, damage suffered by the data subject, and a causal link between that unlawful processing and that damage (judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C‑300/21, EU:C:2023:370, paragraph 36).
160 Article 82(3) of the GDPR, for its part, states that a controller is to be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
161 As the Court has already held, it follows from a combined analysis of Article 82(1) to (3) of the GDPR, the context of that article and the objectives pursued by the EU legislature by means of that regulation that that article provides for fault-based liability in which the burden of proof rests not on the person who has suffered damage, but on the controller (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein, C‑667/21, EU:C:2023:1022, paragraphs 94 and 95).
162 In particular, it would not be consistent with the objective of ensuring such a high level of protection of natural persons with regard to the processing of their personal data to opt for an interpretation according to which data subjects who have suffered damage as a result of an infringement of the GDPR should, in an action for damages under Article 82 of that regulation, bear the burden of proving not only the existence of that infringement and the damage resulting therefrom for them, but also the existence of a fault on the part of the controller, deliberately or through negligence, or even the degree of seriousness of that fault, even though Article 82 does not lay down such requirements (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrheim, C‑667/21, EU:C:2023:1022, paragraph 99).
163 In accordance with the case-law cited in paragraph 154 of the present judgment, the controller’s liability under Article 82 of the GDPR is thus subject to fault on the part of the controller, which is presupposed unless it proves that it is not in any way responsible for the event giving rise to the damage.
164 In that regard, as is apparent from the express addition of the words ‘in any way’ during the legislative process, the circumstances in which the controller may claim to be exempt from civil liability under Article 82 of the GDPR must be strictly limited to those in which the controller is able to demonstrate that the damage is not attributable to it (judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 70).
165 The Court also held that, in the event of a personal data breach committed by a third party, such as a cyber criminal, or by a person acting under the authority of the controller, that controller may be exempted from liability, on the basis of Article 82(3) of the GDPR, only if it proves that there is no causal link between any breach of the data protection obligation incumbent on it under that regulation and the damage suffered by the natural person concerned (see, to that effect, judgments of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 72, and of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 51).
166 Therefore, in order for the controller to be exempted from liability under Article 82(3) of the GDPR, it cannot be sufficient for it to demonstrate that it had given instructions to persons acting under its authority, within the meaning of that regulation, and that one of those persons failed in his or her obligation to follow those instructions, with the result that that person contributed to the occurrence of the damage in question (see, to that effect, judgment of 11 April 2024, juris, C‑741/21, EU:C:2024:288, paragraph 52).
167 In the second place, as regards the rules on evidence, it should be recalled that the GDPR does not lay down rules relating to the admission and probative value of evidence which must be applied by the national courts hearing an action for damages based on Article 82 of that regulation. Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each Member State to prescribe the detailed rules for safeguarding rights which individuals derive from Article 82 and, in particular, the rules on evidence, subject to compliance with the principles of equivalence and effectiveness (see, to that effect, judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 60 and the case-law cited).
168 In the third place, as regards an opinion issued under Article 58(3)(b) of the GDPR, it should be recalled that that article lays down the powers of the supervisory authorities.
169 Thus, Article 58 of the GDPR confers on those authorities, in paragraph 1 thereof, investigative powers, in paragraph 2 thereof, the power to adopt corrective measures, in paragraph 3 thereof, the authorisation powers and the advisory powers listed therein and, in paragraph 5 thereof, the power to bring any infringement of that regulation to the attention of the judicial authorities and, where appropriate, to commence or engage in legal proceedings in order to enforce the provisions of that regulation.
170 Among the powers listed in Article 58(3) of the GDPR is included, in point (b) of that provision, the power ‘to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data’.
171 It is clear from the wording of that latter provision, in particular from the term ‘opinions’, that the issuing of such an opinion falls within the scope of the advisory powers of the supervisory authority, and not within that of its authorisation powers.
172 The use of the terms ‘opinions’ and ‘advisory powers’ also indicates that an opinion issued on the basis of Article 58(3)(b) of the GDPR is not, under EU law, legally binding.
173 Recital 143 of the GDPR confirms that interpretation. Indeed, that recital states that ‘each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority’.
174 Since an opinion issued to the controller is not legally binding, it cannot in itself demonstrate that that the damage is not attributable to that controller, within the meaning of the case-law cited in paragraph 164 of the present judgment, nor, therefore, that it is sufficient to exempt that controller from liability under Article 82(3) of the GDPR.
175 Such an interpretation of Article 82(3) is also consistent with the objectives pursued by the GDPR of ensuring a high level of protection of natural persons with regard to the processing of their personal data and of ensuring effective compensation for the damage that they may suffer as a result of processing of those data that infringes that regulation. If it were sufficient for the controller to rely on a legally non-binding opinion in order to escape all liability and, accordingly, from any obligation to compensate, the controller would not be encouraged to do everything within its power to ensure that high level of protection and to comply with the obligations imposed by that regulation.
176 In the light of the foregoing, the answer to the eighth question is that Article 82(3) of the GDPR must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is not sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation.
Costs
177 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (First Chamber) hereby rules:
1. Article 21(2) of Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law
must be interpreted as not imposing on a Member State an obligation to permit the disclosure, in the commercial register, of a company’s constitutive instrument subject to compulsory disclosure under that directive and containing personal data, other than the minimum personal data required, disclosure of which is not required by the law of that Member State.
2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), in particular Article 4(7) and (9) thereof
must be interpreted as meaning that the authority responsible for maintaining the commercial register of a Member State which publishes, in that register, the personal data contained in a company’s constitutive instrument, which is subject to compulsory disclosure under Directive 2017/1132 and was transmitted to it in an application for registration of the company concerned in that register, is both a ‘recipient’ of those data and, particularly in so far as it makes them available to the public, a ‘controller’ of those data, within the meaning of that provision, even where that instrument contains personal data not required by that directive or by the law of that Member State.
3. Directive 2017/1132, in particular Article 16 thereof, and Article 17 of Regulation 2016/679
must be interpreted as precluding a Member State’s legislation or practice which leads the authority responsible for maintaining the commercial register of that Member State to refuse any request for erasure of personal data not required by that directive or by the law of that Member State, contained in a company’s constitutive instrument published in that register, where a copy of that instrument in which those data have been redacted has not been provided to that authority, contrary to the procedural rules laid down by that legislation.
4. Article 4(1) of Regulation 2016/679
must be interpreted as meaning that the handwritten signature of a natural person is covered by the concept of ‘personal data’ within the meaning of that provision.
5. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that a loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated.
6. Article 82(3) of Regulation 2016/679
must be interpreted as meaning that an opinion of the supervisory authority of a Member State, issued on the basis of Article 58(3)(b) of that regulation, is not sufficient to exempt from liability, under Article 82(2) of that regulation, the authority responsible for maintaining the commercial register of that Member State which has the status of ‘controller’, within the meaning of Article 4(7) of that regulation.
[Signatures]
* Language of the case: Bulgarian.