IS THERE A TACIT JOINT CONTROLLER CAPACITY?

21 March 2024

When it comes to joint data processing, the simplest case is for the joint controllers do declare themselves as such and to set out their tasks and responsibilities in an agreement. There are, however, cases where the capacity of joint controller arises from a legal provision. In its fresh decision, the Court of Justice of the European Union answers the questions whether national law can implicitly nominate the controller or joint controllers.

1. Facts

A Belgian private limited liability company reduced its capital which according to the Belgian law shall be published in the official gazette called Moniteur belge.

A notary prepared the extract of the shareholders’ decision which, even if that is not required by the law, contained the names and bank account of the shareholders. The extract was first sent to the registry of the company court which transmitted it to the Office of the Moniteur belge for publication. The latter published the extract as it stood, without checking its content.

After noticing that the publication in the Moniteur belgesee contains his personal data not required by the law, one of the shareholders requested the erasure of his personal data in accordance with the provisions of the GDPR[1]. The Federal Public Service Justice to which the Office of the Moniteur belge is attached refused the shareholder’s request for erasure.

The shareholder filed a complaint against the above decision before the Belgian data protection authority which ordered the Federal Public Service Justice to comply with the request for erasure. The Belgian State, which did not agree with this decision, brought an action before the Brussels Court of Appeal seeking the annulment of the contested decision.

One of the main questions in the court proceeding was whether the Moniteur belge may be considered as a controller, a concept which the Court of Justice of the European Union (“CJEU”) has jurisdiction to interpret, thus the Belgian court sent the case to the Luxembourg court.

2. Controller designated by law

The CJEU had to answer the question whether the entity responsible for the official journal of a Member State which is required by the law to publish as they stand official acts and documents that have been prepared by third parties, may be classified as a controller.

First, the Court recalled that the determination of the purposes and means of processing is the basis for being a controller, however the purposes and means of the processing may be determined and the controller may be nominated by the law of a Member State. Considering the broad definition of the concept of the controller, the national law may determine the purposes and means of processing and nominate the controller not only explicitly but also implicitly. In this case, the determination must be derived with sufficient certainty from the role, task and powers of the controller.

The protection of data subjects would be undermined if the concept of controller were interpreted restrictively to cover only those cases were the controller is expressly nominated by national law, even when the means and purposes of the processing are apparent from the legal provisions governing the activity of the controller.

The CJEU found that the Belgian law has determined, at least implicitly, the purposes and means of the processing of personal data performed by the Moniteur belge. According to the national law, the role of Moniteur belge is informing the public of the existence of the acts and documents sent to him so as to make them enforceable against third parties. Thus, the publication of such acts and documents, even without the possibility of amending, is intrinsically linked to the purposes and means of processing determined by the Belgian law.

This means that Moniteur belge shall be regarded as a controller which is not undermined by the fact that Moniteur belge does not have legal personality.

3. Sole controller or joint controllers

After establishing that, by virtue of its role and tasks, Moniteur belge shall be considered as a controller, the Luxembourg court examined the question whether Moniteur belge is solely responsible for compliance with the principles of the GDPR[2] or jointly with the entities that have previously processed the data like the notary and registry of the company court.

According to the CJEU, the processing that was entrusted to the Moniteur belge involves the digital transformation of the data contained by the documents submitted to it, the publication and the storage of those data. These operations are both subsequent to the processing by the notary and the registry of the company court and technically different from it.

The Court emphasized that in a processing chain concerning the same personal data, like the one of the Moniteur belge and its predecessors, the joint responsibility of the actors may be established by the national law directly but also indirectly. The precondition of the joint responsibility is that the various processing operations are linked by purposes and means, and that the national law determines the respective responsibilities of each of the joint controllers.

Based on the above, the CJEU found that Moniteur belge is solely responsible for compliance with the principles of the GDPR as regards the personal data processing operations that it is required to perform under the Belgian law, unless joint responsibility with other entities in respect of those operations arises under that law, which is to be decided by the Belgian court.

The Court added that even when the Belgian court concludes that the agency responsible for the Moniteur belge shall be regarded as a joint controller, such conclusion in no way prejudges the question whether the request for erasure should be granted.

4. Conclusion

In the analysed judgement, the CJEU, in line with its previous practice, further extended the concept of controller by clarifying that a controller or even joint controller capacity may be implicitly determined by the law of a Member State. The condition for such implicit determination is that it must be derived with sufficient certainty from the role, tasks and powers of the controller and that the national law shall determine the respective responsibilities of each of the joint controllers.

In this article we analysed decision C-231/22 of the CJEU.