An individual does not enjoy an absolute right to have his/her personal details struck off the companies’ register, the Court of Justice of the European Union (CJEU) has recently ruled. However, member states enjoy a discretion to provide for restricted access by third parties to such data, upon the expiry of a sufficiently long period after the dissolution of a company.

EU Data Protection law has always sought to provide the utmost protection to EU citizens’ personal data. One way in which it does this is by endowing individuals with the right to request that any personal data which they would have passed on for some purpose or another are deleted. This is particularly so when such data is no longer necessary.

This does not mean that an individual may, upon a whim, request to have all his personal data deleted and that such a request must in all cases be acceded to. Therefore, if for example, the retention of the data is necessary for the performance of a contract or for compliance with a legal obligation, the data can be kept as long as necessary for that purpose. The new data protection regulation due to apply as from May 2018 has maintained this same right.

The facts of the case which came before the CJEU were briefly as follows. In 2007, the director of a company which was awarded a contract for the construction of a tourist complex in Italy, filed an action against the Lecce Chamber of Commerce. In his opinion, the properties in the complex were not sold because there was evidence in the companies’ register that he had been the administrator of another company which went bankrupt and was wound up in 2005.

The Italian Court seized of the case ordered the Lecce Chamber of Commerce to anonymise the data linking this director to the liquidation of the first company and to pay compensation for the damage suffered by him. The Lecce Chamber of Commerce appealed against the judgment and the Court of Appeal filed a preliminary reference before the CJEU requesting guidance as to whether the EU’s directive on the protection of personal data and the EU’s directive on disclosure of company documents, at any given time, preclude third parties from accessing data relating to natural persons provided for in the companies’ register.

A person’s rights stop where those of another begin

The CJEU noted that the public nature of company registers is intended to ascertain that there is legal certainty in dealings between companies and third parties. Another objective is that of protecting the interests of third parties in relation to joint stock companies and limited liability companies. This is necessary since the only safeguards the latter companies offer third parties are their assets. Issues requiring reference to personal data found in the companies’ register may arise many years after a company has ceased to exist, the Court observed. Taking into consideration two major facts – namely, the contractual relationships which a company might have entered into with third parties and the diversity of limitation periods provided for by various national laws – the Court came to the conclusion that it is impossible to identify a single period after which the data in the register and their disclosure would no longer be necessary. This means that member states cannot guarantee that natural persons whose data are included in the company register have the right to obtain the erasure of such data, even after the lapse of a specified period of time from the dissolution of a company.

The Court observed that though such an approach might impinge on a person’s fundamental rights, it cannot be said to be disproportionate. The Court highlighted the following justifications. Primarily, it pointed out that only a limited number of personal data items are entered in the company register. Furthermore, the CJEU emphasised that it was only fair that natural persons who represent the company, and who only offer the assets of that company as safeguards in legal relationships with third parties, are required to disclose data relating to their identity and functions within that company.

However, the Court acceded that, in exceptional cases, and due to overriding and legitimate reasons relating to the specific case, access to personal data by third parties is restricted, upon the expiry of a sufficiently long period after the dissolution of the company in question. Such a limitation on access to personal data must, however, be based on a case-by-case assessment and furthermore it is for each member state to decide if it wants to provide for such a limitation to access in its national legal system, the Court maintained.

In the case under examination, the Court concluded that the mere fact that the properties in question were not sold to potential purchasers who had access to the director’s personal data as entered on the companies’ register could not justify a limitation to access by third parties to such data who had every legitimate interest to avail themselves of such information.

Despite the fact that the new Data Protection Regulation has reinforced individuals’ rights and given individuals more control over their personal data, a delicate balance must in practice be at all times kept between such rights and those of third parties or the public at large. As the mantra goes, a person’s rights stop where those of another begin!

mariosa@vellacardona.com

Mariosa Vella Cardona is a freelance legal consultant specialising in European law, competition law, consumer law and intellectual property law.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.