LM – CJEU Judgment (European Union, 2024)

The statute of a company was changed by a natural person who was the majority shareholder. As a consequence of the changes, some personal data of him and the other company's partners were wrongly included. Among such data, there were names, monetary amounts and bank account details. As per national law, the new articles were prepared by the notary of the majority shareholder, and sent to the the registry of the court (Companies Court) and then forwarded by the court to the Office of the Moniteur belge for publication. After the publication, the notary, having realised the mistake, was authorised to request the deletion of the above sensitive data on behalf of the data subject (the majority shareholder) under Article 17 GDPR. The Moniteur Belge refused and the data subject filed a complaint with the Belgian DPA. The Belgian DPA reprimanded the Moniteur Belge and ordered them to comply with the erasure request within 30 days. The Belgian State appealed this decision to the Brussels Court of Appeal seeking an annulment of the DPA's decision. Specifically, they argued that it was uncertain whether the Moniteur Belge was a controller as per Article 4(7) GDPR. The passage had been processed by several 'successive controllers' (the notary who drew up the extract, the registry of the Court and the Moniteur Belge, who published the extract as it stood due to national law requirements). Moreover, since the parties did not claim joint controllership, it was also uncertain whether the Moniteur Belge was solely responsible for compliance with the GDPR. With this in mind, the court referred two questions to the CJEU: 1) Does Article 4(7) GDPR mean that a Member State's official journal, responsible for publishing official documents under national law (such as the one in the case), has the status of a data controller? 2) If so, does Article 5(2) GDPR mean that only that journal in question need to comply with the data controller's responsibilities? Or are the responsibilities i