État belge v Autorité de protection des données.
| Jurisdiction | European Union |
| ECLI | ECLI:EU:C:2024:7 |
| Date | 11 January 2024 |
| Docket Number | C-231/22 |
| Celex Number | 62022CJ0231 |
| Court | Court of Justice (European Union) |
Provisional text
JUDGMENT OF THE COURT (Third Chamber)
11 January 2024 (*)
(Reference for a preliminary ruling – Approximation of laws – Protection of natural persons with regard to the processing of personal data and free movement of such data (General Data Protection Regulation) – Regulation (EU) 2016/679 – Point 7 of Article 4 – Concept of ‘controller’ – Official journal of a Member State – Obligation to publish as they stand company documents prepared by companies or their legal representatives – Article 5(2) – Successive processing of the personal data contained in such documents by several separate persons or entities – Determination of responsibilities)
In Case C‑231/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the cour d’appel de Bruxelles (Belgium), made by decision of 23 February 2022, received at the Court on 1 April 2022, in the proceedings
État belge
v
Autorité de protection des données,
other party:
LM,
THE COURT (Third Chamber),
composed of K. Jürimäe, President of the Chamber, N. Piçarra, M. Safjan (Rapporteur), N. Jääskinen and M. Gavalec, Judges,
Advocate General: L. Medina,
Registrar: C. Strömholm, Administrator,
having regard to the written procedure and further to the hearing on 23 March 2023,
after considering the observations submitted on behalf of:
– the Autorité de protection des données, by F. Biebuyck, P. Van Muylder, avocates, and E. Kairis, advocaat,
– the Belgian Government, by P. Cottin, J.-C. Halleux and C. Pochet, acting as Agents, and by S. Kaisergruber and P. Schaffner, avocats,
– the Hungarian Government, by Zs. Biró-Tóth and M.Z. Fehér, acting as Agents,
– the European Commission, by A. Bouchagiar, H. Kranenborg and A.-C. Simon, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 8 June 2023,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of point 7 of Article 4 and Article 5(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings between the État belge (Belgian State) and the Autorité de protection des données (Data Protection Authority, Belgium; ‘the DPA’), which is the supervisory authority established in Belgium pursuant to Article 51 of the GDPR, concerning a decision by which that authority ordered the managing authority of the Moniteur belge, the official journal which ensures, in that Member State, the production and dissemination of a wide range of official and public publications in paper format and electronically, to give effect to the exercise, by a natural person, of his right to erasure in relation to a number of items of personal data contained in an act published in that official journal.
Legal context
European Union law
3 Points 2 and 7 of Article 4 of the GDPR provide:
‘For the purposes of this Regulation:
…
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…’
4 Article 5 of the GDPR states:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
5 Article 17 of the GDPR is worded as follows:
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
…
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
…
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; …
…’
6 Pursuant to Article 26 of the GDPR:
‘1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
3. Irrespective of the terms of the...
To continue reading
Request your trial