Belgian State (Donnees traitees par un journal officiel) (Processing of personal data - Concepts of 'controller' and 'processor' - Determining the purpose and the means of the data processing - Opinion) [2023] EUECJ C-231/22_O (08 June 2023)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Court of Justice of the European Communities (including Court of First Instance Decisions)


You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Belgian State (Donnees traitees par un journal officiel) (Processing of personal data - Concepts of 'controller' and 'processor' - Determining the purpose and the means of the data processing - Opinion) [2023] EUECJ C-231/22_O (08 June 2023)
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C23122_O.html
Cite as: ECLI:EU:C:2023:468, [2023] EUECJ C-231/22_O, EU:C:2023:468

[New search] [Contents list] [Help]


Provisional text

OPINION OF ADVOCATE GENERAL

MEDINA

delivered on 8 June 2023(1)

Case C231/22

État belge

v

Autorité de protection des données,

joined party:

LM

(Request for a preliminary ruling from the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium))

(Reference for a preliminary ruling – Regulation (EU) 2016/679 – Article 4(7) and (8) – Processing of personal data – Concepts of ‘controller’ and ‘processor’ – Determining the purpose and the means of the data processing – Obligation of designation by national law – Official journal – Publication of a company law act prepared by a notary – Request for withdrawal – Margin of discretion – Immutability – Article 5(2) – Successive controllers – Separate obligations of separate entities)






1.        Acta Diurna were daily Roman official notices carved in stone or metal and displayed in public places such as the Forum of Rome. In the digital era, the issue that national authorities may be confronted with is whether the data published by the official journal of a given country are also carved in stone, metaphorically speaking, or whether they can be erased or modified.

2.        The origin of the main proceedings lies in the publication of data by the Belgian official journal, the Moniteur belge, which publishes official documents in paper format and electronically.

3.        The main proceedings are between the État belge (Belgian State) and the Autorité de protection des données  (Data Protection Authority, Belgium; ‘the DPA’). Having noted that a passage from a company’s decision that was authenticated by a notary and which contained, in addition to the data required by Belgian law, personal data of a natural person was published by mistake, the Data Protection Officer (‘DPO’) of the notary requested the Moniteur belge to delete those data. However, the Service Public Fédéral Justice (Federal Public Service Justice; ‘the FPS Justice’), which is the managing authority of the Moniteur belge, refused that request.

4.        Against that background, the questions submitted by the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium) in its request for a preliminary ruling have a rather narrow scope. The referring court inquires, in essence, whether the Moniteur belge or the FPS Justice must be considered to be a ‘controller’ within the meaning of Article 4(7) of the Regulation (EU) 2016/679 (‘the GDPR’). (2) If the answer to that question is in the affirmative, the referring court also queries the limits of the obligations of a controller when the processing is carried out by consecutive entities.

I.      Legislative framework

A.      European Union law

5.        In Chapter I of the GDPR, entitled ‘General provisions’, Article 4 thereof defines, in particular, the following terms: ‘personal data’, ‘processing’, ‘controller’ and ‘processor’.

6.        Articles 5, 6, 17 and 26 of the GDPR are also relevant to this case.

B.      National law

1.      The Companies Code

7.        Article 67(1) and (2) of the Loi du 7 mai 1999 contenant le Code des sociétés (3) (Law of 7 May 1999 on the Companies Code; ‘the Companies Code’) provided:

‘(1)      The certified copies of authentic instruments, the duplicates or originals of documents under private signature and extracts, whether or not in electronic form, the lodging or publication of which are required by the following articles shall be lodged at the registry of the court of the undertaking in whose jurisdiction the company has its registered office.

(2)      The documents lodged shall be kept in the file kept at that registry for each company and the companies in question shall be entered in the register of legal persons, the register of the Banque-Carrefour des Entreprises [central business registration body].’

8.        Article 71 of the code stated:

‘The extract from company documents shall be signed for authentic instruments, by notaries, and for documents under private signature, by all partners jointly and severally or by one of them, entrusted for that purpose by the others with a special mandate.’

9.        Article 73 of that code provided:

‘Publication shall take place in the annexes to the Moniteur belge within 15 days of the deposit, failing which the officials to whom the omission or delay may be attributed shall be liable for damages.

…’

10.      Under Article 74(1) of that code:

‘The following shall be deposited and published in accordance with the preceding articles:

(1)      acts amending the provisions, which this Code requires to be published;’

2.      The Royal Decree of 30 January 2001

11.      Article 1 of the Arrêté royal du 30 janvier 2001 portant exécution du code des sociétés (Royal Decree of 30 January 2001 implementing the Companies Code) (4) provided:

‘… the court clerks of the [company] courts shall receive the deposit of all documents, extracts from documents, minutes and documents whose disclosure is ordered by the Companies Code …’

12.      Article 11 of that royal decree provided:

‘(1)      Documents, extracts from documents and documents whose publication is required in the annexes to the Moniteur belge shall be lodged at the Registry together with a copy. …

(2)      All paper documents submitted must meet the following conditions:

6°      be signed, as appropriate, by the notary acting or by persons authorised to represent the legal person in relation to third parties, stating the names and capacity of the signatories;

(3)      The copies of the documents, extracts from documents and documents referred to in Articles 67, 68, 74 … of the Companies Code … intended for the Moniteur belge shall be submitted without correction or redaction. …

…’

13.      Article 14 of the royal decree reads as follows:

‘The Registrar shall send to the management of the Moniteur belge, no later than the second working day following that on which it was lodged, copies of the documents, extracts from documents and documents … which he has received and which must be published in the annexes to the Moniteur belge.

…’

14.      Article 16 of that royal decree stated:

‘Where publication is necessary, it shall be made by means of the annexes to the Moniteur belge within the time limits laid down by law.’

3.      The Programme Law I of 24 December 2002

15.      Article 472 of the Loi-programme du 24 décembre 2002 (Programme Law of 24 December 2002) (5) provides:

‘The Moniteur belge is an official publication published by the management of the Moniteur belge, which brings together all the texts so that publication in the Moniteur belge is ordered.’

16.      Article 474 of that programme law states:

‘Three paper copies shall be published in the Moniteur belge by the management of the Moniteur belge.

One copy is stored electronically. The King shall determine the arrangements for electronic storage …’

17.      Article 475 of the same programme law is worded as follows:

‘Any other making available to the public shall be made via the website of the management of the Moniteur belge.

The publications made available on that website shall be the exact reproductions in electronic format of the paper copies provided for in Article 474.’

18.      Under Article 475a of the Programme Law of 24 December 2002:

‘Any citizen may obtain a copy of the documents and documents published in the Moniteur belge by means of a free telephone helpline at cost price from the Moniteur belge. This service is also responsible for providing citizens with a document search help service.’

19.      Article 475b of that programme law:

‘Other accompanying measures shall be taken by Royal Decree deliberated in the Council of Ministers in order to ensure the widest possible dissemination of and access to the information contained in the Moniteur belge.’

II.    Facts, proceedings and the questions referred for a preliminary ruling

20.      LM is a majority shareholder of Bureau LM, a Belgian private limited liability company.

21.      On 23 January 2019, that company held a general meeting during which it decided to reduce its capital, amending its articles of association to that effect.

22.      In accordance with the legal rules governing disclosure, a notary prepared a partial text. On 12 February 2019, the notary lodged it at the Registry of the tribunal de l’entreprise néerlandophone de Bruxelles (Brussels Companies Court (Dutch-speaking), Belgium) for the purposes of its official publication in the Moniteur belge.

23.      On 22 February 2019, that partial text was published in the annexes to the Moniteur belge. In particular, it contained the decision to reduce the company’s capital, the initial amount of capital, the amount of the reduction, the new amount of share capital and the new text of the articles of association. In addition to the information published pursuant to a legal requirement, the partial text at issue contained the names of the two partners of the company at issue, the amounts that had been repaid to them and their bank account numbers (‘the passage at issue’), the publication of which was not required by law.

24.      Having found that the notary had erred in including the passage at issue in the partial text published, the DPO of the notary, referring to Article 17 of the GDPR, requested the FPS Justice to delete the passage at issue and to publish the partial text once again, this time without that passage.

25.      On 10 April 2019, the FPS Justice refused to grant that request (6) and offered to publish a new partial text, redacted from the passage at issue, while leaving the original publication of 22 February 2019 intact.

26.      On 21 January 2020, LM, one of the two partners of the company concerned, filed a complaint with the DPA against the Moniteur belge (the FPS Justice) alleging infringement of Article 5 (in particular the data minimisation principle), Article 6 (processing of personal data) and Article 17 (right to erasure) of the GDPR.

27.      By decision of 23 March 2021, the DPA upheld the complaint and, in essence, ordered the deletion of the passage at issue.

28.      On 22 April 2021, the Belgian State brought an appeal against that decision before the cour d’appel de Bruxelles (Court of Appeal, Brussels), the referring court, seeking the annulment of that decision. LM intervened in the dispute.

29.      The referring court points out that the parties disagree on how the concept of ‘controller’ in Article 4(7) of the GDPR should be interpreted. It notes that, after receiving the partial text from the tribunal de l’entreprise néerlandophone de Bruxelles (Brussels Companies Court (Dutch-speaking)), the Moniteur belge, in accordance with the legal provisions governing its status and tasks, published that text as it stood, that is to say, without any power of review or amendment. In particular, the referring court inquires whether each of the potential successive entities, or only one of them, must be classified as a ‘controller’ within the meaning of that article and, therefore, under Article 5(2) of the GDPR, is responsible for compliance with the principles laid down in Article 5(1) of that regulation.

30.      In that regard, that court asks whether such a concept of successive or subsequent responsibility is enshrined in that regulation. If it is considered that the Moniteur belge is the recipient of the data within the meaning of Article 4(9) of the GDPR, that court wonders whether, in turn, that journal acted as the ‘subsequent’ controller of the processing. However, that does not appear to be the case since, under the applicable Belgian law, the Moniteur belge is not in a position to define the means and purposes of its own processing within the meaning of Article 4(7) of the GDPR.

31.      It is against that background that the cour d’appel de Bruxelles (Court of Appeal, Brussels) referred the following questions to the Court of Justice:

‘(1)      Must Article 4(7) of the [GDPR] be interpreted as meaning that a Member State’s official [journal] – vested with a public task of publishing and archiving official documents, which, under the applicable national legislation, is responsible for publishing official documents whose publication is ordered by third-party public bodies, as they stand when received from those bodies after the latter have themselves processed the personal data contained in those documents, without the national legislature having granted the official [journal] any discretion over the content of the documents to be published or the purpose and means of publication – has the status of data controller?

(2)      If the answer to Question 1 is in the affirmative, must Article 5(2) of the [GDPR] be interpreted as meaning that only the official [journal] in question need comply with the data controller’s responsibilities under that provision, to the exclusion of the third-party public bodies which have previously processed the data contained in the official documents whose publication they are requesting, or are those responsibilities incumbent cumulatively on each of the successive controllers?’

32.      The DPA, the Belgian and Hungarian Governments and the European Commission submitted written observations.

33.      At the hearing on 23 March 2023, the DPA, the Belgian Government and the Commission appeared before the Court.

III. Assessment

A.      First question referred

34.      By its first question, the referring court asks, in essence, whether Article 4(7) of the GDPR must be interpreted as meaning that a Member State’s official journal has the status of data controller. At the outset, I should make two observations that pertain to the formulation of that question.

35.      First, it is apparent from the decision of the referring court that the Companies Code provides that companies have the legal obligation to publish various documents and decisions in the annexes to the Moniteur belge. That court also notes that the Moniteur belge comes under the FPS Justice, without that point being further explained. Since the division of powers of the national authorities within a Member State is a matter for national rules, in the present Opinion, I shall make reference only to the Moniteur belge.

36.      Second, I should observe that, in its question, the referring court inserts a passage between two short dashes that seems to be an explanation of the powers conferred upon the Moniteur belge by the Belgian legislature.

37.      Consequently, that question could be reformulated as asking, in essence, whether a Member State’s official journal, such as the Moniteur belge, which is vested, under the applicable national legislation, with the task of publishing and archiving official documents, can be considered to be a controller, within the meaning of Article 4(7) of the GDPR, in circumstances where the publication of those documents, as they stand, is ordered by third-party entities, where those entities have themselves processed the personal data contained in those documents, and where that official journal enjoys no discretion over the content of the documents to be published or the purpose and means of that publication.

38.      In order to answer that question, I should note, at the outset, that the term ‘controller’ is defined by Article 4(7) of the GDPR as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’. It becomes clear from that provision, when read together with Article 5(1) of the GDPR, which lays down the principles relating to processing of personal data, that each stage of the data processing requires there to be a controller. (7) Thus, when personal data are processed, there should always be a controller that is the key actor in the operationalisation of data protection law, (8) making it important to identify that controller at every stage of the processing. (9) The concept of ‘controller’ encompasses both natural and legal persons as well as public authorities, agencies or other bodies. However, it is clear that the classification of the type of entity does not give rise to any difficulties in the present case.

39.      Before turning to the crux of the question, that is, the determination of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, I think it is important to clarify whether the operations at issue in the present case constitute ‘processing’ of ‘personal data’ within the meaning of Article 4(2) and (1) of the GDPR respectively.

1.      ‘Processing’ of personal data’

40.      First, it must be borne in mind that ‘personal data’, within the meaning of Article 4(1) of the GDPR, means ‘any information relating to an identified or identifiable natural person’, it being understood that, according to the case-law, that definition is applicable where, by reason of its content, purpose or effect, the information in question is linked to a particular person. (10) In the present case, it is not disputed by the parties that the data included in the passage at issue, such as the names of the two partners of the company and their bank account numbers, constitute personal data. In my view, the amounts that have been repaid to those partners are not necessarily personal data in their own right. However, when combined with the name of the persons who received them, those amounts are indeed to be regarded as personal data.

41.      Second, under Article 4(2) of the GDPR, the concept of ‘processing’ is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’, such as, inter alia, ‘consultation, use, disclosure by transmission, dissemination or otherwise making available’ of personal data. Those definitions reflect the fact that the EU legislature sought to assign a wide scope to those two concepts. (11)

42.      For instance, in its judgment in Google Spain, the Court held that the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) of Directive 95/46/EC – (12) which corresponds, in essence, to Article 4(2) of the GDPR – when that information contains ‘personal data’. (13) Moreover, in the judgment in Fashion ID, (14) the Court held that the processing of personal data may consist in one or a number of operations, each of which relates to one of the different stages that the processing of personal data may involve.

43.      In my view, three successive instances of processing of personal data took place in the present case. The first processing concerns the notary, who drafted the document to be published in the Moniteur belge (and, in so doing, made the mistake of including the personal data at issue) and lodged it before the Registry of the Companies Court. The second processing concerns that registry, which added that document to the company file and sent it for publication to the Moniteur belge. The third processing involved the Moniteur belge, which not only transformed the paper document into an electronic document, but also collected, recorded, stored, disclosed and disseminated it. In my view, it is beyond doubt that all three instances and, in particular, the operations carried out by the Moniteur belge constitute ‘processing’, within the meaning of Article 4(2) of the GDPR.

44.      However, the fact that processing took place in those three instances does not necessarily mean that the Moniteur belge acted as a data controller. That is because the GDPR draws a distinction, set out in Article 4(7) and (8) thereof, between, on the one hand, data controllers and, on the other hand, data processors. While the controller defines the purpose and means of processing, (15) the processor processes personal data on behalf of the controller. (16) Therefore, while it is clear that the three instances constitute ‘processing’, within the meaning of Article 4(2) of the GDPR, that finding does not determine whether the Moniteur belge – or another entity involved in that three-step chain – has the status of controller in the present case.

2.      Determining the purposes and means of the processing of personal data

45.      Whether the Moniteur belge acted as a ‘controller’ amounts, in my view, to examining whether it ‘determines the purposes and means of the processing of personal data’, within the meaning of Article 4(7) of the GDPR.

46.      At the outset, I should point out that, according to the relevant case-law of the Court, the concept of ‘controller’ must be defined broadly. Indeed, the Court has previously held that the objective of Article 4(7) of the GDPR is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects. (17) Moreover, the concepts of controller and processor are functional concepts: they aim to allocate responsibilities according to the actual roles of the parties. (18) Put differently, the ‘personal data processing controller is the person that decides why and how data will be processed’. (19) Therefore, the determination of the responsibilities of the controller is ‘based on a factual rather than a formal analysis’. (20)

47.      Second, by specifying ‘alone or jointly’ with others, Article 4(7) of the GDPR recognises that ‘the purposes and means’ of the data processing may be determined by more than one entity. However, the extent to which two or more actors jointly exercise control may take on different forms, (21) which will be discussed in my analysis of the second question.

48.      Third, I should observe that, by adopting the Royal Decree of 25 June 2020, the Kingdom of Belgium designates the FPS Justice as the controller within the meaning of Article 4(7) of the GDPR. (22) However, the events in the main proceedings took place prior to the entry into force of that decree. Therefore, it is not applicable ratione temporis to the present case. It follows therefore that the Court has to examine the allocation of competences and responsibilities between the national entities prior to the entry into force of that decree.

49.      Having made those preliminary remarks, I will now examine the conditions laid down in Article 4(7) of the GDPR, that is to say, which of the entities in question ‘determines the purposes and means of the processing’ of the personal data at issue.

(a)    Implicit designation of the controller by national law

50.      The controllership may be grounded in the relevant law or may stem from an analysis of the factual elements or circumstances of the case. (23) Article 4(7) of the GDPR states that, where the purposes and means of such processing are determined in particular by the law of a Member State, the controller may be designated or the specific criteria applicable to its designation may be provided for by that law. It follows that when an entity has been specifically identified by law as a controller, that designation is determinative. (24) However, in the present case, there is no specific provision that explicitly designates a data controller.

51.      It is also possible that the law, albeit implicitly, designates an entity as the controller. (25) For instance, when national legislation imposes an obligation on the entity at issue to retain or provide certain data, such an entity would be considered to be a controller with respect to the processing that is necessary to comply with that obligation. Such an implicit designation by national legislation occurs when it is apparent from the role, tasks and powers conferred on that authority that it determines the purposes and means of the processing in question. In the judgment in Manni, the Court relied on the appraisal of facts, stating that ‘by transcribing and keeping that information in the register and communicating it, where appropriate, on request to third parties’, the authority legally responsible for maintaining a company register carries out ‘processing of personal data’ for which it is the ‘controller’, as defined in Article 2(b) and (d) of Directive 95/46. (26)

52.      In the present case, although the national legislation has not explicitly designated a data controller, it provides that companies have the legal obligation to publish certain documents in the Moniteur belge. (27) Thus, it has created a legal obligation to process data, which must be managed by a controller. The national legislature has designed a scheme whereby there are three entities that process the data successively; however, the parties disagree on which of those three entities is actually the controller. (28) Therefore, the specific powers assigned to those entities need to be established in order to determine which of them the legislature has implicitly designated as controller for the third stage of the processing, that is, the operations carried out by the Moniteur belge.

(b)    The effective and complete protection of data subjects

53.      Article 4(7) of the GDPR, through the use of the verb ‘to determine’, requires a controller to exert influence over the processing by virtue of an exercise of decision-making power. (29) For instance, in the Facebook ‘Like’ plugin case, (30) the issue was whether or not Fashion ID, an online clothing retailer which had embedded on its website the ‘Like’ social plugin from the social network Facebook, determined jointly with Facebook the means of the collection and disclosure by transmission of the personal data of visitors to Fashion ID’s website. In that case, the Court explicitly stated that by embedding that social plugin on its website, Fashion ID exerts a decisive influence over the collection and transmission of the personal data of visitors to that website on the provider of that plugin, Facebook Ireland, which would not have occurred without that plugin. (31) It follows that having decisive influence over the processing of personal data implies that the entity exercising that influence is a controller. However, not having decisive influence does not suffice to rule out the fact that an entity may still enjoy the status of controller.

54.      Because of the ways in which information is produced and distributed electronically, the dissemination of data on the internet increases exponentially the risks of breaching the fundamental rights to respect for private life and protection of personal data. (32) Well aware of that risk, the Court has adopted a broad definition of the concept of ‘controller’ (33) in order for the GDPR to guarantee the effective and complete protection of data subjects, in particular their right to privacy. (34) To that end, in the judgment in Google Spain, the Court held that it would be contrary not only to the clear wording of Article 2(d) of Directive 95/46, which corresponds, in essence, to Article 4(7) of the GDPR, but also to its objective to exclude the operator of a search engine from that definition on the ground that it does not exercise control over the personal data published on the web pages of third parties. (35) By adopting such a broad definition, it is clear that the Court has opted for a purposive interpretation of that provision: the definition of ‘controller’ must guarantee the effective and complete protection of data subjects. Moreover, I should point out that such an interpretation can only be reinforced by the GDPR, which was adopted on the basis of Article 16(1) TFEU, empowering the EU legislature to safeguard the fundamental right to protection of personal data provided for in Article 8(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’). (36)

55.      In the present case, it is clear that the national legislature has designed a scheme with three different instances of processing: a chain that starts with the notary drafting and signing of the documents concerned, is followed by the Registry of the Companies Court adding the document to the company file and storing the document, and ends with the Moniteur belge digitally transforming and publishing those documents. While it is true that the Moniteur belge must publish the document concerned as it stands, the fact remains that, for the purposes of its publication, it is neither the notary nor the Registry of the Companies Court that transforms it into an electronic document; it is the Moniteur belge alone that undertakes to do so and then disseminates the document concerned on the internet.

56.      In particular, I should point out that, by adopting Articles 474 to 475b of the Programme Law of 24 December 2002, the national legislature conferred certain powers on the Moniteur belge. It follows from those provisions that the Moniteur belge not only  publishes the paper version of the documents concerned, but also makes them available via its website in electronic format, stores them electronically, makes them available to citizens by providing a helpline and a document search help service, and, finally, ensures the widest possible dissemination of and access to the information contained in the Moniteur belge. Therefore, to my mind, it follows from those provisions that the national legislature, by entrusting the Moniteur belge with powers with respect to digital transformation, publication, dissemination and storage of the documents at issue, has conferred upon that journal powers falling within the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR. (37)

57.      By carrying out the abovementioned operations entrusted to it by the legislature, namely digital transformation, publication and dissemination, the Moniteur belge exponentially increases the risk of breaching the fundamental rights of the person concerned (when compared to the mere publication of the document in its paper version). It is that official journal’s processing that actually threatens the effective and complete protection of the data subject at issue. Consequently, I see no other alternative than to consider that, on account of the objective of guaranteeing the effective and complete protection of data subjects and because of the potential harm that the digital transformation and dissemination may cause to those subjects, the Moniteur belge cannot be excluded from the definition of data ‘controller’ within the meaning of Article 4(7) of the GDPR.

58.      Finally, as to the applicability of the case-law concerning private search engines to public entities, such as the Moniteur belge, it should be noted that, in a recent judgment, the Court applied that case-law for the purposes of confirming that the public prosecutor’s office must be considered to be a ‘controller’. (38) In my opinion, the rationale for such an application is underpinned by the broad interpretation of the concept of ‘controller’, within the meaning of Article 4(7) of the GDPR, in order to ensure effective and complete protection of the fundamental rights and freedoms of data subjects enshrined in primary law, (39) irrespective of whether the controller is a public or a private entity. (40) In order to ensure such effective and complete protection, the principles of data protection imposed on private search engines are relevant to private as well as public entities that are subject to the same overarching principles relating to data and to obligations under the GDPR, which constitute a concrete expression of primary law.

(c)    Whether another entity is a data controller

59.      At the hearing, the Belgian Government argued that the notary should be held to be a data controller since he or she determines the means and purposes of the data processing.

60.      In my opinion, if the notary were to be held to be the sole controller, it would mean that, in practice, nobody would be the controller of the third stage of the processing, that is, the operations carried out by the Moniteur belge, since the legislature has not empowered the notary – as illustrated by the facts of the present case – to decisively influence that third stage of processing. That said, the three entities at issue may be involved at different instances and to different degrees in the processing of personal data, with the result that each of them may be considered to be a controller, albeit with a different scope and level of responsibility stemming from the controllership. (41) Moreover, I would point out that, as stated by the Commission at the hearing, the law could, in theory, designate the Moniteur belge as the processor, provided that the national legislation has imposed an obligation on several entities of drafting, storing and digitally disseminating the document at issue. However, for the Moniteur belge to qualify as a processor, the conditions specified in Article 28 of the GDPR should be met, which is clearly not the case in the circumstances as presented to the Court, since each entity concerned is responsible for its own part of the processing. (42) Therefore, the Moniteur belge cannot be regarded as a ‘processor’ within the meaning of that provision.

61.      Moreover, the Belgian Government contended that the national legislature itself acts as the controller or defines an entity responsible for the controlling, while the Moniteur belge was only exercising the powers conferred on it. According to that government, the case-law concerning private search engines cannot apply to public entities, since the Moniteur belge, as a public authority set up by the legislature, cannot alone determine its mission and tasks.

62.      As I have already pointed out, (43) in the present case the national legislature has implicitly designated the Moniteur belge as a data controller by conferring on it the power to carry out a certain number of specific tasks.

63.      In any event, I take the view that, if the Court were to consider that the national legislature has the status of controller whenever it exercises its power to determine the purposes and means of a given processing operation, such an approach would result in natural persons no longer being afforded effective protection, so that the concept of controller would be deprived of effectiveness. Indeed, the effective protection of data subjects cannot be ensured if the numerous responsibilities of the controller were carried out, in respect of each processing of personal data prescribed by the legislation of a Member State, by the legislature itself. Thus, in my opinion, when a public authority has been given the power to process personal data, it is not the legislature that is the controller, but the authority that carries out the public tasks that is the entity that controls the purposes and means of that processing. (44) In the present case, it is clear from the circumstances that the processing at issue, as explained in point 43 of the present Opinion, takes place as an implementation of national legislation, which excludes the hypothesis that the legislature itself – when passing laws – is the controller of the processing of personal data.

(d)    The lack of discretion

64.      In the present case, it appears from the national legislation presented to the Court that the Moniteur belge has no decision-making power as to the texts which it is required to publish. (45) Indeed, as underlined by the Belgian Government in its written submissions and at the hearing, the Moniteur belge had 15 days (46) to publish the document, which must be an exact copy of that which was drafted by the notary. In the case of omission or delay, the civil servant of the Moniteur belge is at risk of being sued for damages. (47) To avoid such an occurrence, that authority does not check that the information which it is required to publish is complete, valid or accurate. Therefore, as argued by the Belgian Government, it appears that the Moniteur belge does not have the power to review the content of those documents, including the personal data which they might contain.

65.      However, since the legislateur itself, when passing laws, does not act as a controller, and since no other entity has any influence on the determination of the purposes and means of the processing in question – that is, the digital transformation and the digital dissemination of the documents at issue – in order to prevent a lacuna in the designation, the Moniteur belge must be designated as a controller. The notary and the Registry of the Companies Court simply lack the power to intervene at that stage. That being the case, the absence of discretion on the part of the Moniteur belge cannot serve as a carve-out to the effective protection of data subjects. It must therefore be held that the Moniteur belge is a controller within the meaning of Article 4(7) of the GDPR, albeit implicitly designated, for the processing of personal data when publishing documents, as required by the national legislation.

(e)    The deletion of personal data

66.      It appears from the facts of the present case that the DPO of the notary requested the FPS Justice (acting on behalf of the Moniteur belge) to delete – remove from the internet – the passage at issue and to publish the partial text without that passage. The FPS Justice refused to grant that request and offered to publish a new partial text. In those circumstances, it appears that the notary concerned has no power to order the amendment or withdrawal of the passage at issue. However, I should emphasise that no other entity would appear to have that power either.

67.      The Belgian Government states that it was the national legislature’s intention that the documents published in the Moniteur belge be kept immutable over time for archiving purposes and that the electronic version of the publications remain the exact copy of the paper version at all times, which precludes any retroactive amendment. That government adds that, in order to correct a document of a legal person published in the Moniteur belge, the notary must lodge an amending document at the Registry of the Companies Court, which must then ask the management of the Moniteur belge to publish that amending act. On the other hand, it is not possible, under Belgian law, to delete the original act altogether lest the principle of the immutability of the Moniteur belge might be breached.

68.      In my opinion, the refusal of the public authority to delete the passage containing the personal data in question and to publish the document at issue without that passage has the effect of maintaining those data publicly available. This means, in my view, that that authority, while applying national laws, is acting as a ‘controller’ within the meaning of Article 4(7) of the GDPR, since, by not withdrawing the passage at issue and keeping it public, it determines the purposes and means of the processing of personal data. If the Moniteur belge were not recognised as a controller, it would appear that no authority would have that status. (48)

69.      In my view, the status of ‘controller’ cannot depend on the fact that an authority such as the Moniteur belge is, by virtue of national law, unable to comply with a request for erasure of data. Therefore, when there is a lacuna in the national legislation, it is for the national authorities and, at this stage, for the national court to designate, by applying the GDPR, the entity that must comply with the obligations arising from that regulation. In the present case, since the data are being processed they remain publicly available, but the national law has not designated a responsible authority as a controller for that part of the processing.

70.      In such a scenario, since the national legislature has left a lacuna by not designating a controller, the Court should indicate that it is for the referring court to designate, on the basis of the circumstances as described to the Court, the Moniteur belge (or the FPS Justice, according to that court’s assessment) as controller. Only such an interpretation would be consistent, in my opinion, with the objective of Article 4(7) of the GDPR to ensure, by a broad definition of the concept of ‘controller’, effective and complete protection of data subjects. (49) This would also avoid loopholes and prevent possible circumvention of the GDPR rules.

71.      As to the practical arguments arising from the principle of immutability of the information disseminated by the Moniteur belge, it is for the national legislature, in the light of the obligations stemming, inter alia, from Articles 5 and 17 of the GDPR, to enact a legislative framework, which takes into account the protection of data subjects and that principle. Since the publication of personal data increases the risk of harm to data subjects exponentially, there is a need for innovative solutions to be provided by national law. (50)

72.      In conclusion, in the present case I suggest that the Court holds that the Moniteur belge is acting as a ‘controller’ within the meaning of Article 4(7) of the GDPR when deciding to refuse to withdraw the passage at issue from the public domain, that is when keeping that passage publicly available.

3.      Interim conclusion

73.      In the present case, the national legislation has created an obligation to designate a data controller in order to comply with the obligations arising from the GDPR. First, as to the digital transformation, publication and dissemination of the data at issue, the Moniteur belge must be identified as a data ‘controller’ within the meaning of Article 4(7) of the GDPR for the purposes of ensuring the fundamental rights of the person concerned. Second, as to the lack of withdrawal of the data at issue, there is a lacuna in the national legislation in so far as none of the entities concerned are permitted to withdraw those data. In such a case, it is for the national court, applying the GDPR in order to ensure the protection of fundamental rights of the persons concerned, to designate a controller, which, in the present case, would appear to be the Moniteur belge.

74.      Consequently, I propose that the answer to the first question should be that Article 4(7) of the GDPR is to be interpreted as meaning that a Member State’s official journal, such as the Moniteur belge, which is vested, under the applicable national legislation, with the task of publishing and archiving official documents, for the purposes of ensuring an effective and complete protection of data subjects, can be considered to be a controller within the meaning of Article 4(7) of the GDPR in circumstances where the publication of those documents, as they stand, is ordered by third-party entities since the national legislature has granted that journal  the power to determine the means of the digital transformation, publication, dissemination and storage of the documents at issue and has set wide publication and dissemination purposes. However, as to the absence of the designation of the controller with respect to the withdrawal or erasure of data and since the data at issue remain publicly available, it is for the national court to designate the entity that must comply with the obligations arising from the GDPR.

75.      If the Court adopts that answer to the first question, only then should it answer the second question, that is to say, whether the Moniteur belge or the authority managing it must be solely responsible for compliance with the obligations imposed on the data controller by the GDPR.

B.      Second question referred

76.      By its second question the referring court asks, in essence, whether Article 5(2) of the GDPR must be interpreted as meaning that only the official journal in question needs to comply with the data controller’s responsibilities under that provision, to the exclusion of the third-party entities which have previously processed the data contained in the official documents the publication of which they are requesting, or whether those responsibilities are incumbent cumulatively on each of the successive controllers.

77.      Under Article 5(2) of the GDPR, the controller is responsible for compliance with the principles laid down in paragraph 1 of that article, such as the principle of data minimisation and accuracy, (51) and must be able to demonstrate that those principles have been complied with. Since a natural person seeks to obtain the deletion of the personal data in respect of which the national legislation does not require publication, the referring court explains that it needs to decide whether the Moniteur belge or the authority managing it must be solely responsible for compliance with the principles of data minimisation and accuracy or whether the two other entities are also responsible for compliance with those principles.

78.      In particular, the referring court, while noting that the parties to the main proceedings do not rely on there being joint controllers as provided for in Article 26 of the GDPR, wonders whether each of the potential successive controllers, or only one of them, must be classified as a ‘controller’ within the meaning of Article 4(7) of that regulation and therefore be held responsible, under Article 5(2) of that regulation, for compliance with the abovementioned principles.

1.      Operations that follow in time

79.      As I have already pointed out, (52) the personal data in question set out in the passage at issue that was published in the Moniteur belge were processed in turn by several entities, namely by the notary who drafted the extract, by the Registry of the tribunal de l’entreprise néerlandophone de Bruxelles (Brussels Companies Court (Dutch-speaking)) which added it to the company’s file and, finally, by the Moniteur belge that published it as it stood.

80.      With respect to that chain of events, it should be observed that the processing of the personal data in question entrusted to the Moniteur belge is not only subsequent to the processing carried out by the notary and the Registry of the Companies Court, but is also technically different from and additional to the processing carried out by those two entities. It is important to point out that, in so far as the operations carried out by the Moniteur belge entail in particular the digital transformation of the data contained in extracts of documents submitted to it, the publication, the making widely available to the public and the storage of those data, the operations legally entrusted to the Moniteur belge have – in comparison with the processing carried out previously by the two other entities – a significant and additional effect on and entail a risk to the fundamental rights to respect for private life and protection of personal data. (53)

81.      Therefore, it is for the Moniteur belge to comply with all the obligations imposed on the controller by the GDPR with respect to the processing operations imposed on it by the national law.

2.      Exclusion of a joint responsibility

82.      Article 4(7) of the GDPR recognises that ‘the purposes and means of the processing’ may be determined by more than one actor. It states that the concept of ‘controller’ refers to the body which, ‘alone or jointly with others’, determines the purposes and means of the processing. That situation is envisaged in Article 26 of the GDPR, whereby several different entities may act as controllers in the same processing, each of them being subject to the applicable data-protection provisions. (54)

83.      I should recall that Article 26(1) of the GDPR provides that where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. The same paragraph adds that joint controllers are to define their respective responsibilities for the purpose of ensuring compliance with all the requirements of the GDPR in a transparent manner, unless and to the extent that their respective obligations are defined, inter alia, by the law of the Member State to which the controllers are subject. Therefore, the joint responsibility of several controllers does not necessarily depend on the existence of an agreement between the different controllers or even on their intention, but may arise from national law provided that the designation of several controllers and the respective obligations of each of those controllers in the light of the requirements of the GDPR can be inferred from that law.

84.      However, the fact that several actors are involved in the same chain of processing does not mean that they necessarily act as joint controllers. (55) Moreover, the Court has held that a natural or legal person cannot be regarded as being responsible for previous or subsequent operations in the chain of processing for which it does not determine either the purposes or the means. (56) Thus, it does not seem, in the present case, that the national law has designated joint controllers, since the notary has no control over the operations carried out by the Moniteur belge.

85.      Therefore, I take the view that, in the present case, the joint responsibility of the three entities is not established by national law nor can it be ascertained from the facts as presented by the referring court. With respect to the facts in the main proceedings, I should in particular point out that the three entities in the chain are not subject to the same means of processing, since the Moniteur belge carries out the digital transformation, the publication and the dissemination of the documents in question. Furthermore, in view of the facts in the main proceedings, the natural person concerned who seeks to make use of his or her right to erasure according to Article 17 of the GDPR would have to exercise his or her rights under the GDPR in respect of and against each of the joint controllers. From that perspective, each of the actors would, therefore, be separately responsible for compliance with the principles referred to in Article 5(1) of the GDPR. (57)

86.      It follows that, in my view, no ‘cumulative’ responsibility of the various controllers under Article 5(2) of the GDPR may be established. Indeed, each of the actors involved in the chain of processing can only be responsible individually for compliance with the principles referred to in Article 5(1) of that regulation in relation to the processing operations they have carried out in accordance with the purposes and means of data processing. In the present case, since the data were incorrectly published not by the notary but by the Moniteur belge, it seems to me that that authority, despite the fact that it did not itself include the data in the passage at issue, must also be held individually responsible for compliance with the principles referred to in Article 5(1) of the GDPR.

87.      Finally, I would like to point out that it falls to the referring court to ascertain the compatibility of the national law that provides for the possibility of rectification, but not erasure, of the data published in the Moniteur belge with the GDPR. Indeed, the national legislation does not appear to allow the Moniteur belge to delete retroactively data already published (including in electronic form). In that context, it is true that the rights of rectification and erasure, provided for in Articles 16 and 17 of the GDPR, respectively, may, as stated in Article 23 of the GDPR, be restricted under national law. However, such a restriction must, in accordance with Article 52(1) of the Charter, be imposed by law, respect the essence of the fundamental rights of natural persons and observe the principle of proportionality. (58)

3.      Interim conclusion

88.      I therefore propose that the answer to the second question should be that Article 5(2) of the GDPR must be interpreted as meaning that the official journal in question is required to comply with the data controller’s responsibilities under that provision for the operations it has carried out. The processing at issue does not give rise to joint controllership and the Moniteur belge has sole responsibility with respect to the processing operations imposed on it by the national law.

IV.    Conclusion

89.      In the light of the foregoing considerations, I propose that the Court reply to the question referred for a preliminary ruling by the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium) as follows:

Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that a Member State’s official journal, such as the Moniteur belge, which is vested, under the applicable national legislation, with the task of publishing and archiving official documents, for the purposes of ensuring an effective and complete protection of data subjects, can be considered to be a controller within the meaning of Article 4(7) of Regulation 2016/679 in circumstances where the publication of those documents, as they stand, is ordered by third-party entities since the national legislature has granted that journal the power to determine the means of the digital transformation, publication, dissemination and storage of the documents at issue and has set wide publication and dissemination purposes. However, as to the absence of the designation of the controller with respect to the withdrawal or erasure of data since the data at issue remain publicly available, it is for the national court to designate the entity that must comply with the obligations arising from Regulation 2016/679.

Article 5(2) of Regulation 2016/679 must be interpreted as meaning that the official journal in question is required to comply with the data controller’s responsibilities under that provision for the operations it has carried out. The processing at issue does not give rise to joint controllership and the Moniteur belge has sole responsibility with respect to the processing operations imposed on it by the national law.


1      Original language: English.


2      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).


3      Moniteur belge, 6 August 1999, p. 29440.


4      Moniteur belge, 6 February 2001, p. 3008.


5      Moniteur belge, 31 December 2022, p. 58686.


6      It relied on the exception provided for in Article 17(3) and Article 86 of the GDPR.


7      Under Article 4(2) of the GDPR, ‘processing’ means ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.


8      See judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317; ‘the judgment in Google Spain’), and Lynskey, O., ‘Control over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez’, The Modern Law Review, Vol. 78, No 3, 2015, pp. 522-534.


9      See Opinion of Advocate General Ćapeta in Norra Stockholm Bygg (C‑268/21, EU:C:2022:755, point 17). See also judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 68), and Bygrave, L.A. and Tosoni, L., ‘Article 4(7). Controller’, in Kuner, C., Bygrave, L.A., Docksey, C., Drechsler, L. and Tosoni, L. (eds), The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press, Oxford, 2021, pp. 146–150.


10      See, to that effect, judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994, paragraph 35).


11      Ibid., paragraph 34, and judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C‑175/20, EU:C:2022:124, paragraph 35).


12      Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).


13      The judgment in Google Spain, paragraph 41. See also judgment of 8 December 2022, Google (De-referencing of allegedly false information) (C‑460/20, EU:C:2022:962, paragraph 49).


14      Judgment of 29 July 2019 (C‑40/17, EU:C:2019:629, paragraph 72).


15      Article 4(7) of the GDPR.


16      Article 4(8) of the GDPR. For instance, with respect to the responsibility of a search engine, the Court has held that the processing of personal data carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page, underlining that the operator of the search engine is the person determining the purposes and means of the activity carried out by that search engine (judgment of 8 December 2022, Google (De-referencing of allegedly false information), C‑460/20, EU:C:2022:962, paragraph 44).


17      See, to that effect, the judgment in Google Spain, paragraph 34, and judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388, paragraph 28).


18      See Guidelines 07/2020 on the concepts of controller and processor in the GDPR, EDPB, paragraph 12.


19      Opinion of Advocate General Bot in Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2017:796, point 46).


20      Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP 169, p. 11, of the Article 29 Data Protection Working Party, which is an advisory body established by Article 29 of Directive 95/46, now replaced by the European Data Protection Board (‘the EDPB’), set up under Article 68 of the GDPR.


21      Van Alsenoy, B., ‘Chapter 4. Allocation of Responsibility’, in Data Protection Law in the EU: Roles, Responsibilities and Liability, 1st edition, Intersentia, Mortsel, 2019, pp. 43-53.


22      See Article 2 of the Royal Decree of 25 June 2020 establishing the model for publication in the Moniteur belge referred to in Article 1250 of the Judicial Code. I should point out that in the capacity of the data controller, within the meaning of Article 4(7) of the GDPR, the FPS Justice does not only have to ensure the ‘operational management of the publication and provide technical means for the processing’, but it must also comply with the obligations set out in that regulation with respect to processing (see, namely, Articles 5 and 6 of the GDPR).


23      Guidelines 07/2020 on the concepts of controller and processor in the GDPR, EDPB, paragraph 20.


24      Ibid.


25      That said, the obligation, laid down in Article 4(7) of the GDPR, in conjunction with Article 5(1)(b) thereof, that the purposes must be determined and explicit requires at the very least that any indirect determination of the purposes of the processing must be apparent from the legal provisions underlying the activity of the authority concerned.


26      See judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 35).


27      See Articles 71 and 73 of the Companies Code.


28      At the hearing, the Belgian Government argued that the law had implicitly designated the notary as the controller, while the DPA argued that it had rather designated the Moniteur belge in that capacity.


29      Judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 68).


30      Judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629).


31      Ibid., paragraphs 78 and 79.


32      As pointed out by Advocate General Pitruzzella in his Opinion in Google (De-referencing of allegedly false information) (C‑460/20, EU:C:2022:271, point 15), because of that aspect, the Court stated in the judgment in Google Spain that the processing of personal data carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page.


33      Judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 70).


34      See, to that effect, judgment of 24 September 2019, GC and Others (De-referencing of sensitive data) (C‑136/17, EU:C:2019:773, paragraph 37).


35      The judgment in Google Spain, paragraph 34.


36      See recital 1 of the GDPR.


37      See point 68 below.


38      Judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation) (C‑180/21, EU:C:2022:967, paragraph 80).


39      See point 54 above.


40      See, namely, recitals 1 and 4 and Article 1(2) of the GDPR.


41      See, to that effect, judgment of 10 July 2018, Jehovan todistajat (C‑25/17, EU:C:2018:551, paragraph 66).


42      Pursuant to Articles 28 and 29 of the GDPR, the processing by a processor is to be governed by a contract or a legal act under EU or Member State law which is binding on the processor with regard to the controller and which specifies the processing. The national legislature should have set out rules on processing for the Moniteur belge to qualify as a processor.


43      See points 55 to 57 of this Opinion.


44      In addition, the argument submitted by the Belgian Government contradicts its argument submitted at the hearing, whereby it contended that the Moniteur belge does not enforce the law, but rather implements the request of the notary.


45      Articles 474 to 476 of the Programme Law of 24 December 2002.


46      It has become 10 days under new rules.


47      See, namely, Articles 73 and 76 of the Companies Code.


48      The issue that arises here is whether the Belgian legislature has not limited the powers of the controller in a manner that is contrary to the GDPR. It could be argued that such a limitation is problematic in the light of not only Article 17 of the GDPR but also Article 16(1) TFEU and Article 8(1) of the Charter, and may potentially undermine the effet utile of the protection granted by the GDPR. However, while the referring court will have to examine those issues, since the request of the data subject is based on Article 17 of the GDPR, they are clearly not within the scope of the present request for a preliminary ruling made by that court.


49      See point 54 above.


50      At the hearing, the Commission explained that, for instance, the Official Journal of the European Union can be amended and that such solutions do exist.


51      See Article 5(1)(c) and (d) of the GDPR.


52      See point 55 above.


53      As pointed out by Advocate General Pitruzzella in his Opinion in Google (De-referencing of allegedly false information) (C‑460/20, EU:C:2022:271, point 15), because of that aspect, the Court stated in the judgment in Google Spain that the processing of personal data carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page.


54      Judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 67). See also Guidelines 07/2020 on the concepts of controller and processor in the GDPR, EDPB, paragraph 29.


55      See Guidelines 07/2020 on the concepts of controller and processor in the GDPR, EDPB, paragraph 67. As stated by the Commission, not all types of partnership, cooperation or collaboration imply that the entities are joint controllers, as this capacity requires analysis on a case-by-case basis of each treatment and the precise role each entity plays in each treatment. I would argue that joint responsibility should be envisaged when two entities are carrying out processing operations that cannot be distinguished as separate steps of processing.


56      See, to that effect, judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 74).


57      For instance, only the Registry of the Companies Court is capable of adding the passage at issue to the company’s file.


58      See, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559, paragraphs 172 to 176).

© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2023/C23122_O.html