Court of Justice of the European Union publishes judgment concerning the the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement

October 7, 2024 |

The Court of Justice of the European Union (CJEU) has published its judgment (found here)  concerning the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement published in the commercial register under the General Data Protection Regulation (GDPR).

The claimant was  a partner of a limited liability company under Bulgarian law.

On July 8, 2021, the claimant asked the Agency to delete the personal data contained in the partnership agreement, specifying that consent was withdrawn. The Agency did not responded which lead to a claim before the Administrative Court of Dobrich which annulled the Agency’s implied refusal to delete the data and referred the case back to the Agency for a new decision. The Agency indicated, by a letter, a certified copy of the relevant partnership agreement concealing the individual’s personal data, with the exception of that required by law.

The individual claimant again brought an action before the Administrative Court seeking the annulment of the letter and an order against the Agency to compensate it for the non-pecuniary damage of the letter, which infringed the rights conferred by the GDPR. The Administrative Court annulled the letter and ordered the Agency to compensate the individual for non-pecuniary damage, pursuant to Article 82 of the GDPR. The Agency appealed to the Supreme Administrative Court which subsequently referred the case to the CJEU.

The CJEU found:

  • that Directive 2017/1132 does not impose on a Member State an obligation to authorize the publication, in the commercial register, of a partnership contract subject to the mandatory publication provided for by the Directive and containing personal data other than the minimum personal data required, the publication of which is not required by the law of that Member State.

  • that Articles 4(7) and 4(9) of the GDPR must be interpreted as meaning that the authority keeping the commercial register of a Member State which publishes, in that register, the personal data contained in a partnership contract subject to the mandatory publication provided for by the Directive, which was sent to it in the context of an application for registration by the company, is both the recipient of the data and, in particular in so far as it makes them available to the public, the controller of that data, even where that contract contains personal data not required by the Directive or by the law of that Member State.

  • that Article 82(1) of the GDPR must be interpreted as meaning a loss of control for a limited period by the data subject over their personal data due to the making available to the public of such data online in the commercial register of a Member State which may be sufficient to cause ‘non-material damage,’ provided that that person demonstrates that they actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring the demonstration of the existence of additional tangible negative consequences.

Leave a Reply





Verified by MonsterInsights