Case C‑231/22
État belge
v
Autorité de protection des données
(Request for a preliminary ruling from the Cour d’appel de Bruxelles)
Judgment of the Court (Third Chamber) of 11 January 2024
(Reference for a preliminary ruling – Approximation of laws – Protection of natural persons with regard to the processing of personal data and free movement of such data (General Data Protection Regulation) – Regulation (EU) 2016/679 – Point 7 of Article 4 – Concept of ‘controller’ – Official journal of a Member State – Obligation to publish as they stand company documents prepared by companies or their legal representatives – Article 5(2) – Successive processing of the personal data contained in such documents by several separate persons or entities – Determination of responsibilities)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Concept of controller – Official journal of a Member State that ensures the publication of official acts and documents prepared by third parties and has no power to review their content – Included – Condition – Determination of the purposes and means of the processing of personal data by that official journal under national law – Procedures – Lack of legal personality is irrelevant
(European Parliament and Council Regulation 2016/679, Art. 4, point 7)
(see paragraphs 28, 30, 34-39, operative part 1)
2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Principles relating to processing – Determination of who is responsible for compliance with those principles in the case of successive processing of the same data – Responsibility of the official journal of a Member State that ensures the publication of official acts and documents prepared by third parties and has the status of controller – Scope – Individual responsibility of the official journal – Joint responsibility with other entities – Condition – Determination of the purposes and means linking the various processing operations and of the respective responsibilities of the joint controllers under national law – Procedures
(European Parliament and Council Regulation 2016/679, Arts 4, point 7, 5(1) and (2), and 26(1))
(see paragraphs 42-45, 49, 50, 52, operative part 2)
Résumé
Ruling on a request for a preliminary ruling from the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium), the Court of Justice clarifies, first, the scope of the concept of ‘controller’ and, second, the limits of the responsibilities of a controller, where processing of the same personal data is performed by successive entities.
On 12 February 2019, the Moniteur belge, which ensures in Belgium the production and dissemination of a wide range of official and public publications in paper format and electronically, published an extract from a decision of a company concerning a reduction in its capital. That extract, drawn up by the notary of a partner of the company and sent on to the court having jurisdiction, which, in turn, sent it for publication to the Office of that official journal, contained personal data of that partner.
After finding that the passage containing his data had been included in the extract as a result of an error made by the notary, the data subject requested to have that passage deleted on the basis of his right to erasure. (1) However, the service public fédéral Justice (Federal Public Service Justice; ‘the FPS Justice’), to which the Office of the Moniteur belge is attached, refused to grant his request. Following that refusal, that data subject lodged a complaint against the FPS Justice with the Autorité de protection des données (Data Protection Authority, Belgium; ‘the DPA’). By decision of 23 March 2021, the DPA ordered the FPS Justice to comply with the request for erasure as soon as possible. The État belge (Belgian State) then brought an action before the cour d’appel de Bruxelles (Court of Appeal, Brussels) seeking the annulment of the DPA’s decision.
In that context, the cour d’appel de Bruxelles (Court of Appeal, Brussels) has asked the Court whether the Moniteur belge may be classified as a ‘controller’ (2) and whether it must be regarded as solely responsible for compliance with the principles relating to processing of data (3) or whether that responsibility is also incumbent cumulatively on the entities that have previously processed the data contained in the passage concerned.
Findings of the Court
In the first place, as regards the question whether the agency or body responsible for the official journal of a Member State such as the Moniteur belge may be classified as a ‘controller’ within the meaning of the GDPR, the Court states that, having regard to the broad definition of that concept, the determination of the purposes and means of the processing and, where appropriate, the nomination of the controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the agency or body concerned.
The Court finds that, in the present case, Belgian law has determined, at least implicitly, the purposes and means of the processing of personal data performed by the Moniteur belge. It follows that the Moniteur belge may be considered to be the ‘controller’.
The Court emphasises that that conclusion is not called into question by the fact that the Moniteur belge does not have legal personality or by the fact that, pursuant to national law, it does not check, prior to their publication, the personal data contained in the acts and documents that it receives.
While it is true that that body must publish the document in question as it stands, it is that body alone that undertakes that task and then disseminates the act or document concerned. The publication of such acts and documents without any possibility of checking or amending their content is intrinsically linked to the purposes and means of processing determined by national law. The role of that official journal is confined to informing the public of the existence of those acts and documents, as they stand when sent to that official journal in the form of copies in accordance with the applicable national law, so as to make them enforceable against third parties. Moreover, it would be contrary to the objective of point 7 of Article 4 of the GDPR to exclude the official journal of a Member State from the concept of ‘controller’ on the ground that it does not exercise control over the personal data contained in its publications.
In the second place, as regards the question whether a body such as the Moniteur belge must be regarded as solely responsible for compliance with the principles relating to processing of personal data set out in the GDPR, (4) the Court observes that the processing that was entrusted to the Moniteur belge is both subsequent to the processing performed by the notary and by the registry of the court having jurisdiction and technically different from the processing performed by those two entities in that it is additional to it. The operations performed by the Moniteur belge are entrusted to it by national legislation and involve inter alia the digital transformation of the data contained in the acts or extracts of acts submitted to it and the publication, the making widely available to the public and the storage of those data. Therefore, the Moniteur belge must be considered to be responsible for compliance with all the obligations imposed on the controller by the GDPR.
In addition, the Court recalls that point 7 of Article 4 of the GDPR provides not only that the purposes and means of the processing of personal data may be determined jointly by several persons as controllers, but also that national law may determine those purposes and means and nominate the controller or provide for the specific criteria for its nomination. Thus, in connection with a chain of processing operations that are performed by different persons or entities and relate to the same personal data, national law may determine the purposes and means of all the processing operations performed successively by those different persons or entities in such a way that they are regarded jointly as controllers.
The Court emphasises that, under the GDPR, (5) the joint responsibility of several actors in a processing chain concerning the same personal data may be established by national law provided that the various processing operations are linked by purposes and means determined by national law and that national law determines the respective responsibilities of each of the joint controllers. Such a determination of the purposes and means linking the various processing operations performed by several actors in a chain and of their respective responsibilities may be made not only directly but also indirectly by national law, provided that, in the latter case, it can be inferred in a sufficiently explicit manner from the legal provisions governing the persons or entities concerned and the processing of the personal data that they perform in connection with the processing chain imposed by that law.
Thus, the Court concludes that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’, is solely responsible for compliance with the principles set out in the GDPR as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.