A curious case recently had to be decided by the Court of Justice of the European Union (“CJEU”) – can the publication of a company’s memorandum of association constitute a breach of a person’s rights under the GDPR? The Bulgarian Public Registry Agency (“the Agency”), the entity in charge of the Bulgarian Commercial Register (there is no similar office/agency in the Czech Republic, but the regional courts are in charge of the same agenda), refused to delete certain personal data of Ms OL from the Bulgarian Commercial Register. She saw in this action a violation of her rights guaranteed by the GDPR and sued the Agency.

What preceded the lawsuit

Ms OL is a partner in a limited liability company. The latter, like any other similar company, is subject to the requirement to file a memorandum of association with the Companies Registry. In addition to Ms OL’s name, the contract also contained her identification number, her identity card number, the date and place of issue of that card, her home address and her signature. The Agency has published the memorandum of association in the Commercial Register with this information.

After about half a year, Ms OL started to request the deletion of these data from the register. But when the Agency did not respond, she filed a complaint with the Administrative Court, which ordered the Agency to delete the personal data. In response to this request, the Agency wrote a letter to Ms OL asking her to send the memorandum of association with the data obscured.

However, even this letter was found to be invalid by Ms OL and the Administrative Court, and by judgment the Agency was ordered to pay Ms OL approximately EUR 255 in compensation for the non-material damage caused by its failure to act. The Agency decided to fight this decision, and the case went through the Bulgarian Supreme Administrative Court to the CJEU.

Preliminary questions and CJEU rulings

The Bulgarian Supreme Administrative Court did not spare the CJEU and asked it 8 preliminary questions. However, some were not answered by the CJEU due to their interconnectedness, and some were not interesting enough to be worth mentioning here. Of particular interest were questions 5, 6, 7 and 8, which were related to the GDPR.

The fifth question was whether the Agency was acting as a recipient or as a controller of personal data in this case. The CJEU, same as the Advocate General, concluded that although the Agency does not control the data in the documents transmitted to it and subsequently published, it acts as the controller of the personal data contained in those documents. This is so even if it should have been given a version of the document with the personal details obscured but was not given such a copy. Therefore, what makes the Agency (and therefore the Czech courts, too) the controller of personal data is their publication in the Commercial Register.

The next question was a little more straightforward: is a handwritten signature personal information? In view of its case-law, the CJEU has held that it is personal data, in particular because it provides information about the signatory and serves to identify him/ her.

The penultimate question focused on the interpretation of the concept of “non-material damage” under the GDPR and its prerequisites in relation to the present case. According to the CJEU, the mere loss of control over one’s personal data published in the commercial register may constitute non-material damage under Article 82 of the GDPR, provided that the subject proves any non-material damage. Such non-material harm may include the fear of misuse of the personal data disclosed.

Even dealing with the last question did not take the CJEU much time. The Bulgarian court sought an answer to the question whether an opinion issued by a supervisory authority (in the Czech Republic, the Personal Data Protection Office) can completely exclude the Agency’s liability for damage. The answer was of course in the negative, as the opinion is not legally binding and the possibility to exclude liability for damage in this way would completely contradict the meaning and objectives of the GDPR.

What now?

The Supreme Administrative Court in Bulgaria will have to take into account in its decision all the answers of the CJEU to the questions it asked, but all indications are that the Agency was rightly fined, Ms OL’s personal data should not have been published at all and should have been deleted upon request.

Although this is an interesting decision, its application in other Member States, including the Czech Republic, will not be as simple as it may seem. Each country has a different legal framework for the disclosure of personal data. Even so, in some parts the decision provides an interesting basis for possible similar domestic litigation.

The full decision can be found at https://curia.europa.eu/ under file number C-200/23.