On 04.10.2024, the Court of Justice of the European Union (“CJEU”) issued its judgment on case C-200/2023 concerning the interpretation of Union acts - the General Data Protection Regulation - GDPR (the “Regulation”) and Directive (EU) 2017/1132 relating to certain aspects of company law (the “Directive”). The reference for a preliminary ruling has been made by the Supreme Administrative Court (“SAC”) in the context of a dispute between the Registry Agency (the “Agency”) and an equity shareholder in a limited liability company.

In summary, the company’s Articles of Association announced in the Commercial Register (“CR”) contain personal data (PIN, ID card number, signature, etc.) of the equity shareholder in question. In July 2021 a request was made to the Agency by the shareholder himself for his personal data to be deleted from the Articles of Association. The Agency has not acted on this request and, accordingly, it was deemed that a silent refusal has been made. After the Administrative Court of Dobrich ruled in favor of the applicant, the case reached the last possible instance – SAC.

SAC, as referring court, considers that it is necessary for the national courts to clarify the balance between the two EU acts, i.e. to establish how the right to protection of personal data, on the one hand, and the guarantees of publicity of certain company acts, on the other, are to be reconciled.

CJEU upheld that the authority entrusted with the keeping of the CR of the Member State concerned is not entitled to refuse any request for erasure of personal data not required by the Directive or the law of a Member State contained in a published company act, when the data subject has made an express request for the deletion of that personal data.

In these cases, the Agency, as the personal data controller, must prove by clear and indisputable evidence that there is an explicit legal basis for continuing to process the personal data (i.e. not deleting them from the relevant act) despite the subject's request for erasure, i.e. proving that one of the so-called “necessity requirements” within the meaning of Article 6 of the Regulation is met. These are hypotheses where there is an undisputed public interest, an express power of the authority concerned, explicit consent of the data subject, etc.

In this sense, the CJEU holds that the provision of Art. 13, para 9 of the Commercial Register Act, which states that “where personal data not required by law are indicated in the application or in the documents attached thereto, the persons providing them shall be deemed to have given their consent to their processing by the Agency and to the provision of public access to them”, is unlawful and, accordingly, it is necessary to have the express consent of the person concerned in order to consider that the processing of personal data is not contrary to the law.

The CJEU points out that the Agency undoubtedly has the capacity of “recipient” and “controller” of personal data. Arguments in support of this position are that the Agency is a public authority and determines itself the purposes and means of processing personal data. As a consequence, the Agency is obliged to comply with all the mandatory provisions of the Regulation, including ensuring that, in the absence of consent to process personal data, processing can only proceed if the “necessity requirements” within the meaning of Article 6 of the Regulation are proven.

Further, CJEU's ruling brings clarity on another matter, namely - it upholds that the handwritten signature of an individual falls in the scope of the concept of “personal data” within the meaning of the Regulation. This conclusion rests on a number of considerations relating to the broad meaning of the “personal data” concept, the nature of the handwritten signature and its function of identifying the person who affixes it.

Another question is also raised - whether the loss of control by the data subject over the processing of his/her data for a short period of time, due to their publication in the CR of a Member State, may be sufficient to cause “intangible damages” or whether additional “substantial negative consequences” are required. CJEU's position is that the limited duration of the loss of control by the data subject over his or her personal data due to their unlawful publication in the CR of a Member State may be sufficient to cause “intangible damages”, as long as the data subject proves that they have actually suffered such damage, even if minimal, but without the necessity of proving any additional “substantial negative consequences” (i.e. damage above a certain minimum threshold).

With its judgment under Case C-200/2023 CJEU brings the necessary clarity on the balance between the right to protection of personal data and the legal framework guaranteeing the publicity and accessibility of certain acts of companies. The binding interpretations handed down by CJEU have important practical implications and provide useful guidance to public authorities which are data controllers when acting in that capacity.