LM – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union ruled that a Belgian official journal must comply with data deletion requests. This decision is significant because it clarifies that even government entities must follow data protection laws. Companies should be aware that all organizations, including public ones, have responsibilities under GDPR.
What happened
The Belgian official journal refused to delete sensitive personal data as requested by a majority shareholder.
Who was affected
The majority shareholder and other partners whose personal data was included were affected.
What the authority found
The Court ruled that the official journal must comply with the request to delete personal data, confirming its status as a data controller.
Why this matters
This ruling sets a precedent that government bodies are also accountable under GDPR. It emphasizes the importance of compliance with data deletion requests across all types of organizations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The statute of a company was changed by a natural person who was the majority shareholder. As a consequence of the changes, some personal data of him and the other company's partners were wrongly included. Among such data, there were names, monetary amounts and bank account details. As per national law, the new articles were prepared by the notary of the majority shareholder, and sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication. After the publication, the notary, having realised the mistake, was authorised to request the deletion of the above sensitive data on behalf of the data subject (the majority shareholder) under Article 17 GDPR. The Moniteur Belge refused and the data subject filed a complaint with the Belgian DPA. The Belgian DPA reprimanded the Moniteur Belge and ordered them to comply with the erasure request within 30 days. The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether the Moniteur Belge was a controller as per Article 4(7) GDPR. The passage had been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the Court and the Moniteur Belge, who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, it was also uncertain whether the Moniteur Belge was solely responsible for compliance with the GDPR. With this in mind, the court referred two questions to the CJEU: 1) Does Article 4(7) GDPR mean that a Member State's official journal, responsible for publishing official documents under national law (such as the one in the case), has the status of a data controller? 2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibilities i
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for LM in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
11 January 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7492About this data
Cite as: Cookie Fines. LM - European Union (2024). Retrieved from cookiefines.eu
Last updated: