On 30 May 2024, Advocate General Medina provided an opinion on Case C-200/23, involving the Bulgarian [Company] Registration Agency’s refusal to erase personal data from a company’s constitutive instrument published in the commercial register. This case was referred by the Bulgarian Supreme Administrative Court and primarily concerns the interaction between EU data protection regulations and company law.
Background
The issue arose from OL, a member (shareholder) of a Bulgarian limited liability company, requesting the removal of her personal data from the public register, arguing that such data were published without her consent. The Bulgarian Registration Agency denied the request, leading to legal proceedings.
The AG examined the relevance of Directive 2017/1132 on company law and Regulation 2016/679 (GDPR). Articles 14 and 16 of Directive 2017/1132 require the public disclosure of certain company documents, while Articles 4 to 6 and 17 of the GDPR regulate the processing and erasure of personal data.
Advocate General’s Suggested Answers to the Referred Questions
- Controller Responsibility
- Conclusion: The Bulgarian Registration Agency is solely responsible for making personal data in company documents available to the public, even if such data should have been redacted before submission.
- Reasoning: Article 4(7) and Article 26(1) of the GDPR define the controller as the entity that determines the purposes and means of processing. The agency processes and discloses the data according to legal obligations, making it the controller.
- Procedural Requirements for Data Erasure
- Conclusion: The GDPR precludes national legislation or practices that condition data erasure on the submission of a redacted copy of the document. The agency must fulfill erasure requests without undue delay, regardless of whether a redacted copy is provided.
- Reasoning: Articles 17 and 23(1) of the GDPR guarantee the right to erasure and limit restrictions on this right. Procedural rules requiring redacted copies impose unnecessary obstacles and violate the GDPR’s provisions.
- Compatibility with Company Law Directive
- Conclusion: Directive 2017/1132, as amended by Directive 2019/1151, does not permit procedural rules that restrict the right to data erasure. The agency can redact personal data itself and retain an unredacted version on file.
- Reasoning: The directive mandates public access to company documents but does not preclude data protection requirements. Recital 8 emphasizes compliance with data protection laws, allowing the agency to redact non-essential data while preserving document integrity.
Unanswered Questions
The Advocate General left several questions unanswered, among which whether a handwritten signature constitutes personal data within the meaning of Article 4(1) of the GDPR.
Conclusion
Medina’s opinion highlights the necessity for procedural safeguards that protect personal data while maintaining the public interest in company transparency. The opinion is not binding, and the CJEU will issue its own ruling.
👉 Find the AG Opinion here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
