In its judgement of 9 March 2017 in case C-398/15 the Court of Justice of the EU (ECJ) handed down an important judgement on the scope of the so-called "right to be forgotten" on the basis of Personal Data Protection Directive 95/46/EC. The ECJ considered that this directive does not preclude any person from accessing, without any time limit, personal data set out in the companies registers. Nevertheless, on a case by case basis, where exceptionally justified and upon expiry of sufficient period after dissolution of the company, Member States might restrict access to such data.
Mr. Manni, an Italian citizen and previous director of a company which went bankrupt, wanted his data to be erased from the company register. He considered that the publication of such information was detrimental to his new business activities. Faced to the refusal of the company register to erase such data, Mr. Manni brought an action before the courts to request the erasure of his data and the allocation of damages. In the first instance, the court agreed with Mr. Manni.
The Italian Supreme Court has requested the ECJ for a preliminary ruling to assess whether the storage limitation principle laid down in Personal Data Protection Directive 95/46/EC shall prevail over the companies register’s publication system set out in accordance with Directive 68/151, which does not limit in time the publication of director’s personal data.
Too many scenarios within the EU for one storage period
The ECJ pointed out that even after the dissolution of a company, rights and legal relations relating to it continue to exist. Therefore, in the event of a dispute, personal data contained in the companies register may be necessary during the limitation period and thus many years after a company has ceased to exist.
In view of the range of possible scenarios, which may involve actors in several Member States, and the considerable heterogeneity in the limitation periods provided for by the various national laws in the various areas of law, the ECJ considered that it seemed impossible, at present, to identify a single time limit, as from the dissolution of a company, at the end of which the inclusion of such data in the register and their disclosure would no longer be necessary.
Furthermore, the ECJ considered that there is no disproportionate interference with the fundamental rights of the data subjects, given that (i) the number of personal data published is limited and (ii) this is a protection of third parties which enter into relation with joint-stock companies and limited liability companies offering as sole safeguard their assets.
On the basis of the data subject's right to object, Member States may nevertheless decide locally whether the concerned natural persons may apply to the authority responsible for keeping the register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
Thus, the criteria resulting from the ECJ ruling to establish a local exception to the personal data publication are very subjective and might be complex to implement. The ECJ’s wish seems to restrict the adoption of local legislation to the extent possible in order to avoid discrepancies between Member States and thus single market loopholes.
Impact on the GDPR’s right to be forgotten
The General Data Protection Regulation 2016/679 (“GDPR”) officially introduces in the law the right to erasure (“right to be forgotten”) and exceptions thereto. Personal data shall not be erased where the processing is necessary inter alia (i) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and (ii) for the establishment, exercise or defence of legal claims.
In its ruling, the ECJ considered that the processing carried out by companies registers are based on several legitimate grounds, including compliance with a legal obligation and a legitimate interest pursued by the controller or by the third parties to whom the data are disclosed (including protection of third parties).
Therefore, the GDPR’s exceptions to the right to be forgotten seem also to be applicable to the publication of personal data in the companies register. Nevertheless, there is a doubt whether the above mentioned local exceptions allowing an access limitation to personal data by third parties would be valid after entry into force of the GDPR on 25 May 2018.