The Belgian Official Gazette as data controller

On Jan. 11, 2024, the Court of Justice ruled on the role of the Belgian Official Gazette as a data controller in the publication of personal data.

When amending the articles of association of a private limited company, the shareholders took the decision to reduce the company capital. In line with the legislation, the notary sent the resolution to the registry of the competent corporate court for publication in the annexes to the Belgian Official Gazette.

In addition to the information required by law, the published information included unnecessary disclosures such as the names of the shareholders and the corresponding reimbursed amounts with bank account numbers. These unintentional disclosures were due to a carelessness on the part of the notary.

In such a situation, the question arises to what extent shareholders can invoke their rights under the General Data Protection Regulation (GDPR). Can they obtain the deletion of their data? To whom should they turn? In this blog post, we discuss the aforementioned ECJ ruling and look at the various protection options offered by the GDPR.

GDPR

The GDPR provides various means of action for the data subject, in the context of the processing of his personal data. In this case, we must ask several questions:

• Does the publication of a company's shareholders' name and account number in the Belgian Official Gazette constitute "processing" of "personal data"?
• Who is the data controller in this case: the notary, the registry or the Belgian Official Gazette?
• Is the processing lawful? What processing basis can the controller invoke?
• Can the data subject invoke his right to data erasure in this situation?

Processing of personal data

The GDPR only applies if it involves "processing" of "personal data. There is no dispute that the name and account number are 'personal data' subject to the protection of the GDPR. The term 'processing' is clearly defined in the GDPR. Translated to this case, processing is in the act of collecting the data, capturing it, organizing it, structuring it, storing it, consulting it and then transmitting it.

Data Controller

If you want to assert your rights as a data subject, you must contact the data controller. The processing controller is defined in the GDPR as:

• a natural or legal person, public authority, agency or other body
• who, alone or jointly with others, determines the purposes and means of processing personal data..

For the bottom court, the concrete interpretation of the term in this case was unclear, as the data was processed by several potential successive data controllers: 

• the notary who collected and transmitted the personal data,
• the clerk of the corporate court that filed the decision and transmitted the personal data, and 
• the Belgian Official Gazette who has the control and amendment authority over the data.

In the case before the Court of Justice of the European Union, the Court ruled on the qualification of the Belgian Official Gazette as a data controller. The purpose and means of processing are not determined by the Belgian Official Gazette itself but by national law. As a public authority, department or other body of government, this is sufficient to qualify as a data controller if Belgian law determines (directly or indirectly) who the data controller is or according to which criteria it is designated. This is not explicitly reflected in the legislation, but it can be implicitly inferred that it is the body or department responsible for processing. For this reason, according to the Court, the Belgian Official Gazette qualifies as a data controller.

In addition, the Court held that it is also possible to have multiple, joint controllers of processing in a chain. It is sufficient that a person has exercised a significant influence on the processing of personal data and, as a result, participates in determining the purposes and means of the processing. The qualification of the notary public and the clerk of the corporate court as data controllers was left to the courts on the merits.

Processing Basis

To be lawful, the processing of personal data must rest on a processing basis. In the context of this case, one could argue that the processing is necessary to satisfy a legal obligation incumbent on the data controller. In the given case, however, this was not the case. Moreover, the shareholders had not given permission to publish their name and account number. Consequently, the processing was unlawful.

Right to data erasure

Apart from the fact that the processing is unlawful, the data subject can also invoke his right to data erasure. The data subject has the right to ask the controller to delete his personal data immediately, without undue delay.

The data controller is obliged to carry out this deletion immediately in the following cases:

• the personal data are no longer needed for the purposes for which they were collected;
• the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing; or
• the data subject has objected to the processing and there are no overriding compelling legitimate grounds for the processing, or the data subject has objected to processing for direct marketing purposes.

If the shareholders in this case did give consent in the first place, they could still have had their names and account numbers removed by withdrawing their consent in accordance with the requirements of the GDPR.

Right to object

In addition to the right to data erasure, the data subject may also invoke the right to object. The data subject has the right to object to the processing at any time, for reasons specifically related to his situation, even if the processing basis is based on a legitimate interest or task of public interest. The controller must immediately stop the processing unless it invokes compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or substantiation of a legal claim.

Conclusion

In short, shareholders can remember that in the event of unwanted inclusion of data in the publication that are not required by law, the Belgian Official Gazette can be addressed as the data controller. In doing so, one can challenge the illegality, exercise the right to data erasure, or object to the processing.

Questions about data processing and the rights and obligations under the GDPR? aternio legal is happy to help.

Follow aternio on LinkedIn for more finance and legal news.