In March 2017, the Court of Justice of the European Union (“CJEU”) ruled that there is no right to be forgotten for personal information contained in company registries.
The CJEU’s preliminary ruling was handed in the context of a request made in appeal proceedings between the Italian Chamber of Commerce (Lecce) and a certain Mr Manni.
Mr Manni was an administrator of a company that went bankrupt in 1992 and was dissolved in 2005. Subsequently, he was involved as sole director of another company which built a complex of tourist properties. He alleged that his personal information in the companies register regarding the bankrupt company had been processed by a rating agency and that despite a request to remove this information from the register, the Chamber of Commerce failed to remove it, resulting in the tourist complex properties not selling as potential purchasers had access to this information.
The CJEU ruled that the failure to remove such personal information does not constitute a disproportionate interference with the fundamental right of protection of personal data. Only a limited amount of personal information is entered into a companies register and it is only justifiable that persons who choose to be involved in trade would be required to disclose information relating to their functions and identity. However, following the expiry of a sufficiently long period of time from the winding up of a company, it is a matter of national law for Member States to determine whether, on the basis of a case-by-case assessment and only if it is exceptionally justified, access to personal information entered in company registries can be limited to third parties who have a specific interest in consulting such information.
It is worth noting that the referral posed to the CJEU did not concern the processing of the information by the rating agency. The referral concerned solely whether the Directives on personal data and disclosure of company information should be interpreted as permitting individuals, after a certain period has lapsed from the winding up of a company, to request that the relevant company registries limit access to personal data concerning those individuals in the register.