BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £5, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
Court of Justice of the European Communities (including Court of First Instance Decisions) |
||
You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Manni (Approximation of laws Approximation of laws Data protection Freedom of establishment - Judgment) [2017] EUECJ C-398/15 (09 March 2017) URL: http://www.bailii.org/eu/cases/EUECJ/2017/C39815.html Cite as: EU:C:2017:197, [2018] Bus LR 25, ECLI:EU:C:2017:197, [2017] WLR(D) 163, [2017] EUECJ C-398/15 |
[New search] [Contents list] [Buy ICLR report: [2018] Bus LR 25] [View ICLR summary: [2017] WLR(D) 163] [Help]
Provisional text
JUDGMENT OF THE COURT (Second Chamber)
9 March 2017 (*)
(Reference for a preliminary ruling — Personal data — Protection of individuals with regard to the processing of personal data — Directive 95/46/EC — Article 6(1)(e) — Data subject to disclosure in the companies register — First Directive 68/151/EEC — Article 3 — Winding-up of the company concerned — Restriction of access to that data by third parties)
In Case C‑398/15
REQUEST for a preliminary ruling under Article 267 TFEU from the Corte suprema di cassazione (Court of Cassation, Italy), made by decision of 21 May 2015, received at the Court on 23 July 2015, in the proceedings
Camera di Commercio,Industria, Artigianato e Agricoltura di Lecce
v
Salvatore Manni,
THE COURT (Second Chamber),
composed of M. Ilešič (Rapporteur), President of the Chamber, A. Prechal, A. Rosas, C. Toader and E. Jarašiūnas, Judges,
Advocate General: Y. Bot,
Registrar: I. Illéssy, Administrator,
having regard to the written procedure and further to the hearing on 15 June 2016,
after considering the observations submitted on behalf of:
– the Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce, by L. Caprioli, avvocato,
– the Italian Government, by G. Palmieri, acting as Agent, and by E. De Bonis and P. Grasso, avvocati dello Stato,
– the Czech Government, by M. Smolek and J. Vláčil, acting as Agents,
– the German Government, by T. Henze and J. Möller, acting as Agents,
– Ireland, by E. Creedon, J. Quaney and by A. Joyce, acting as Agents, and by A. Carroll, barrister,
– the Polish Government, by B. Majczyna, acting as Agent,
– the Portuguese Government, by L. Inez Fernandes and M. Figueiredo and by C. Vieira Guerra, acting as Agents,
– the European Commission, by P. Costa de Oliveira and by D. Nardi and H. Støvlbæk, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 8 September 2016,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community (OJ 1968 L 65, p. 8), as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003 (OJ 2003 L 221, p. 13) (‘Directive 68/151’), and Article 6(1)(e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 The request has been made in proceedings between the Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce (Chamber of Commerce, Industry, Crafts and Agriculture of Lecce, Italy, ‘the Chamber of Commerce of Lecce’) and Salvatore Manni concerning its refusal to delete certain personal data relating to Mr Manni from the companies register.
Legal context
EU law
Directive 68/151
3 As stated in recital 3 of Directive 2003/58, the aim of the directive was, inter alia, to modernise Directive 68/151 so as to make ‘company information more easily and rapidly accessible by interested parties, but should also simplify significantly the disclosure formalities imposed upon companies’.
4 The recitals in the preamble to Directive 68/151 are worded as follows:
‘Whereas the co-ordination provided for in Article 54(3)(g) [of the EEC Treaty] and in the General Programme for the abolition of restrictions on freedom of establishment is a matter of urgency, especially in regard to companies limited by shares or otherwise having limited liability, since the activities of such companies often extend beyond the frontiers of national territories;
Whereas the co-ordination of national provisions concerning disclosure, the validity of obligations entered into by, and the nullity of, such companies is of special importance, particularly for the purpose of protecting the interests of third parties;
Whereas in these matters Community provisions must be adopted in respect of such companies simultaneously, since the only safeguards they offer to third parties are their assets;
Whereas the basic documents of the company should be disclosed in order that third parties may be able to ascertain their contents and other information concerning the company, especially particulars of the persons who are authorised to bind the company;
Whereas the protection of third parties must be ensured by provisions which restrict to the greatest possible extent the grounds on which obligations entered into in the name of the company are not valid;
Whereas it is necessary, in order to ensure certainty in the law as regards relations between the company and third parties, and also between members, to limit the cases in which nullity can arise and the retroactive effect of a declaration of nullity, and to fix a short time limit within which third parties may enter objection to any such declaration’.
5 Pursuant to Article 1 of Directive 68/151, the coordination measures prescribed by that directive apply to the laws, regulations and administrative provisions of the Member States relating to the forms of companies listed in that provision, including, for the Italian Republic, the società a responsabilità limitata (limited liability company).
6 Article 2 of that directive, which is set out in Section I thereof, entitled ‘Disclosure’, states:
‘1. Member States shall take the measures required to ensure compulsory disclosure by companies of at least the following documents and particulars:
...
(d) the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law or as members of any such body:
(i) are authorized to represent the company in dealings with third parties and in legal proceedings;
(ii) take part in the administration, supervision or control of the company.
...
(h) the winding-up of the company;
...
(j) The appointment of liquidators, particulars concerning them, and their respective powers, unless such powers are expressly and exclusively derived from law or from the statutes of the company;
(k) the termination of the liquidation and, in Member States where striking off the register entails legal consequences, the fact of any such striking off.’
7 Article 3 of that directive, which is also set out in that section, provides:
‘1. In each Member State a file shall be opened in a central register, commercial register or companies register, for each of the companies registered therein.
2. All documents and particulars which must be disclosed in pursuance of Article 2 shall be kept in the file or entered in the register; the subject matter of the entries in the register must in every case appear in the file.
...
3. A copy of the whole or any part of the documents or particulars referred to in Article 2 must be obtainable on application. As from 1 January 2007 at the latest, applications may be submitted to the register by paper means or by electronic means as the applicant chooses.
As from a date to be chosen by each Member State, which shall be no later than 1 January 2007, copies as referred to in the first subparagraph must be obtainable from the register by paper means or by electronic means as the applicant chooses. This shall apply in the case of all documents and particulars, irrespective of whether they were filed before or after the chosen date. However, Member States may decide that all, or certain types of, documents and particulars filed by paper means on or before a date which may not be later than 31 December 2006 shall not be obtainable from the register by electronic means if a specified period has elapsed between the date of filing and the date of the application submitted to the register. Such specified period may not be less than 10 years.
...’
8 Directive 68/151 was repealed and replaced by Directive 2009/101/EC of the European Parliament and of the Council of 16 September 2009 on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent (OJ 2009 L 258, p. 11), as amended by Directive 2012/17/EC of the European Parliament and of the Council of 13 June 2012 (OJ 2012 L 156, p. 1).
9 Directive 2012/17 introduced, inter alia, Article 7a into Directive 2009/101, which states:
‘The processing of personal data carried out within the framework of this Directive shall be subject to Directive 95/46 ...’
10 However, bearing in mind the date of the facts, the main proceedings are still governed by Directive 68/151.
Directive 95/46
11 Directive 95/46, the object of which, according to Article 1, is to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, and to remove obstacles to the free flow of personal data, states in recitals 10 and 25 in its preamble:
‘(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms[, signed in Rome on 4 November 1950,] and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;
...
(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons ... responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances’.
12 Article 2 of Directive 95/46 provides:
‘For the purpose of this Directive:
(a) “personal data” mean any information relating to an identified or identifiable natural person (data subject), whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
...
(d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
...’
13 Paragraph 1 of that directive, entitled ‘Scope’, states:
‘This Directive applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’
14 In Section I (entitled ‘Principles relating to data quality’) of Chapter II of Directive 95/46, Article 6 is worded as follows:
‘1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes is not to be considered as incompatible provided that Member States provide appropriate safeguards.
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States must lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.’
15 In Section II (entitled ‘Criteria for making data processing legitimate’) of Chapter II of Directive 95/46, Article 7 provides:
‘Member States shall provide that personal data may be processed only if:
...
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
...
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed;
or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).’
16 Article 12 of that directive, entitled ‘Rights of access’, provides:
‘Member States shall guarantee every data subject the right to obtain from the controller:
...
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
...’
17 Article 14 of Directive 95/46, entitled ‘The data subject’s right to object’, provides:
‘Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;
...’
18 Article 28 of Directive 95/46 provides for the establishment by the Member States of a supervisory authority responsible for supervising the application of the provisions adopted pursuant to that directive.
Italian law
19 Article 2188 of the codice civil (Civil Code) provides:
‘A companies register shall be established for entries in the register required by law.
The register shall be kept by the office of the companies register under the supervision of a judge appointed by the president of the court.
The register shall be publicly available.’
20 Article 8(1) and (2) of legge n. 580 — Riordinamento delle camere di commercio, industria, artigianato e agricoltura (Law No 580 on the reorganisation of the chambers of commerce, industry, craft trades and agriculture) of 29 December 1993 (Ordinary Supplement to GURI No 7 of 11 January 1994), provides that it is the responsibility of the chambers of commerce, industry, craft trades and agriculture to keep the register.
21 Decreto del Presidente della Repubblica n. 581 — Regolamento di attuazione dell’articolo 8 della legge 29 dicembre 1993, n. 580, in materia di istituzione del registro delle imprese di cui all’articolo 2188 del codice civile (Decree No 581 of the President of the Republic, laying down implementing regulations for Article 8 of Law No 580, of 29 December 1993, concerning the establishment of the companies register referred to in Article 2188 of the Civil Code) of 7 December 1995 (GURI No 28 of 3 February 1996), governs certain details relating to the companies register.
22 Directive 95/46 has been transposed into Italian law by decreto legislativo n. 196 — Codice in materia di protezione dei dati personali (Legislative Decree No 196 on the personal data protection code) of 30 June 2003 (Ordinary Supplement to GURI No 174 of 29 July 2003).
The dispute in the main proceedings and the questions referred for a preliminary ruling
23 Mr Manni is the sole director of Italiana Costruzioni Srl, a building company which was awarded a contract for the construction of a tourist complex.
24 By an action commenced on 12 December 2007, Mr Manni brought proceedings against the Lecce Chamber of Commerce, claiming that the properties in that complex were not selling because it was apparent from the companies register that he had been the sole director and liquidator of Immobiliare e Finanziaria Salentina Srl (‘Immobiliare Salentina’), which had been declared insolvent in 1992 and struck off the companies register, following liquidation proceedings, on 7 July 2005.
25 In that action, Mr Manni alleged that the personal data concerning him, which appear in the companies register, had been processed by a company specialised in the collection and processing of market information and in risk assessment (‘rating’), and that, notwithstanding a request to remove it from the register, the Lecce Chamber of Commerce has not done so.
26 Mr Manni therefore sought an order requiring the Lecce Chamber of Commerce to erase, anonymise or block the data linking him to the liquidation of Immobiliare Salentina, together with an order that that chamber compensate him for the damage he suffered by reason of the injury to his reputation.
27 By judgment of 1 August 2011, the Tribunale di Lecce (Court of Lecce, Italy) upheld that claim, ordering the Lecce Chamber of Commerce to anonymise the data linking Mr Manni to the liquidation of Immobiliare Salentina and to pay compensation for the damage suffered by him, assessed at EUR 2 000, together with interest and costs.
28 The Tribunale di Lecce (Court of Lecce) considered that ‘it is not permissible for entries in the register which link the name of an individual to a critical phase in the life of the company (such as its liquidation) to be permanent, unless there is a specific general interest in their retention and disclosure’. In the absence of any provision in the Civil Code laying down a maximum period of registration, that court held that, ‘after an appropriate period’ from the conclusion of the liquidation, and after the company has been removed from the register, stating the name of the person who was sole director of that company at the time of the liquidation ceased to be necessary and useful, for the purposes of Legislative Decree No 196, and the public interest in a ‘historical memory’ of the existence of the company and the difficulties it experienced [could] to a great extent be just as well effected by means of anonymous data’.
29 The Lecce Chamber of Commerce brought an appeal against that judgment before the Corte suprema di cassazione (Court of Cassation, Italy), which decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the principle of keeping personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed, laid down in Article 6(1)(e) of Directive 95/46, transposed by Legislative Decree No 196 of 30 June 2003, take precedence over and, therefore, preclude the system of disclosure established by means of the companies register provided for by Directive 68/151 and by national law in Article 2188 of the Civil Code and Article 8 of Law No 580 of 29 December 1993, in so far as it is a requirement of that system that anyone may, at any time, obtain the data relating to individuals in those registers?
(2) Consequently, is it permissible under Article 3 of Directive 68/151, by way of derogation from the principles that there should be no time limit and that anyone may consult the data published in the companies register, for the data no longer to be subject to ‘disclosure’, in both those regards, but to be available for only a limited period and only to certain recipients, on the basis of a case-by-case assessment by the data manager?’
Consideration of the questions referred
30 By its questions, which should be considered together, the referring court asks, essentially, whether Article 3 of Directive 68/151 and Article 6(1)(e) of Directive 95/46 must be interpreted as meaning that Member States may, and indeed must, allow individuals, covered by Article 2(1)(d) and (j) of Directive 68/151, to request the authority responsible for maintaining the companies register to limit, after a certain period has elapsed from the dissolution of the company concerned and on the basis of a case-by-case assessment, access to personal data concerning them and entered in that register.
31 It should be noted at the outset that the case at issue in the main proceedings and the questions referred to the Court for a preliminary ruling do not concern the subsequent processing of the data at issue in this case by a specialised rating company, referred to in paragraph 25 of the present judgment, but rather the accessibility of such data held in the companies register by third parties.
32 In that regard, it must first be pointed out that, under Article 2(1)(d) of Directive 68/151, Member States must take the measures necessary to ensure compulsory disclosure by companies of at least the appointment, termination of office and particulars of the persons who either as a body constituted pursuant to law, or as members of any such body, are authorised to represent the company in dealings with third parties and in legal proceedings, or take part in the administration, supervision or control of that company. Moreover, according to Article 2(1)(j), the appointment of liquidators, particulars concerning them and, in principle, their respective powers must also be disclosed.
33 Pursuant to Article 3(1) to (3) of Directive 68/151, those particulars must be transcribed in each Member State either in a central register, commercial register or companies register (together, ‘the register’), and a copy of the whole or any part of those particulars must be obtainable by application.
34 It must be held that the particulars concerning the identity of the persons referred to in Article 2(1)(d) and (j) of Directive 68/151 constitute, as information relating to identified or identifiable natural persons, ‘personal data’ within the meaning of Article 2(a) of Directive 95/46. It is apparent from the Court’s case-law that the fact that that information was provided as part of a professional activity does not mean that it cannot be characterised as personal data (see judgment of 16 July 2015, ClientEarth and PAN Europe v EFSA, C‑615/13 P, EU:C:2015:489, paragraph 30 and the case-law cited).
35 Furthermore, by transcribing and keeping that information in the register and communicating it, where appropriate, on request to third parties, the authority responsible for maintaining that register carries out ‘processing of personal data’ for which it is the ‘controller’, within the meaning of the definitions set out Article 2(b) and (d) of Directive 95/46.
36 The processing of personal data which is thus carried out in the implementation of Article 2(1)(d) and (j) and Article 3 of Directive 68/151 is subject to Directive 95/46, under Articles 1 and 3 thereof. This is now expressly provided for in Article 7a of Directive 2009/101, as amended by Directive 2012/17, which, however, is only declaratory in that regard. As the European Commission stated at the hearing, the EU legislature considered it useful to recall that fact in the context of the legislative changes introduced by Directive 2012/17 and aimed at ensuring interoperability of registers of the Member States, since those changes suggested an increase in the intensity of the processing of personal data.
37 With regard to Directive 95/46, it should be remembered that, as is apparent from Article 1 and recital 10 in the preamble, that directive seeks to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data (see judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 66 and the case-law cited).
38 According to recital 25 in the preamble to Directive 95/46, the principles of protection laid down by the directive are reflected, on the one hand, in the obligations imposed on persons responsible for processing data, in particular regarding data quality, technical security, notification to the supervisory authority and the circumstances under which processing can be carried out, and, on the other hand, in the rights conferred on individuals whose data are the subject of processing to be informed that such processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances.
39 The Court has already held that the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms and, in particular, the right to respect for private life, must necessarily be interpreted in the light of the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union (‘the Charter’) (see judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650, paragraph 38 and the case-law cited).
40 Article 7 of the Charter therefore guarantees the right to respect for private life, whilst Article 8 of the Charter expressly proclaims the right to the protection of personal data. Article 8(2) and (3) states that such data must be processed fairly, for specific purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law, that everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified, and that compliance with those rules is to be subject to control by an independent authority. Those requirements are implemented inter alia in Articles 6, 7, 12, 14 and 28 of Directive 95/46.
41 With regard, in particular, to the general conditions of lawfulness imposed by Directive 95/46, it should be noted that, subject to the exceptions permitted under Article 13 of that directive, all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive (see, inter alia, judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 71 and the case-law cited).
42 In that regard, as the Advocate General pointed out in point 52 of his Opinion, it should be noted that the processing of personal data by the authority responsible for keeping the register pursuant to Article 2(1)(d) and (j) and Article 3 of Directive 68/151 satisfies several grounds for legitimation provided for in Article 7 of Directive 95/46, namely those set out in subparagraph (c) thereof, relating to compliance with a legal obligation, subparagraph (e), relating to the exercise of official authority or the performance of a task carried out in the public interest, and subparagraph (f) relating to the realisation of a legitimate interest pursued by the controller or by the third parties to whom the data are disclosed.
43 With regard, inter alia, to the ground for legitimation provided for in Article 7(e) of Directive 95/46, it should be noted that the Court of Justice has already held that the activity of a public authority consisting in the storing, in a database, of data which undertakings are obliged to report on the basis of statutory obligations, permitting interested persons to search for that data and providing them with print-outs thereof, falls within the exercise of public powers (see judgment of 12 July 2012, Compass-Datenbank, C‑138/11, EU:C:2012:449, paragraphs 40 and 41). Moreover, such an activity also constitutes a task carried out in the public interest within the meaning of that provision.
44 In the present case, the parties to the main proceedings disagree as to whether the authority responsible for keeping the register should, after a certain period has elapsed since a company ceased to trade, and on the request of the data subject, either erase or anonymise that personal data, or limit their disclosure. In that context, the referring court asks in particular whether such an obligation flows from Article 6(1)(e) of Directive 95/46.
45 According to Article 6(1)(e) of Directive 95/46, Member States are to ensure that personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Where that data are stored for longer periods for historical, statistical or scientific use, Member States must lay down appropriate safeguards. Pursuant to paragraph 2 of that article, it is the responsibility of the controller to ensure compliance with those principles.
46 In the event of failure to comply with the condition laid down in Article 6(1)(e) of Directive 95/46, Member States guarantee the person concerned, pursuant to Article 12(b) thereof, the right to obtain from the controller, as appropriate, the erasure or blocking of the data concerned (see, to that effect, judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 70).
47 Moreover, under subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, Member States are to grant the data subject the right, inter alia in the cases referred to in Article 7(e) and (f) of that directive, to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. The balancing to be carried out under subparagraph (a) of the first paragraph of Article 14 thus enables account to be taken in a more specific manner of all the circumstances surrounding the data subject’s particular situation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data (see judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 76).
48 In order to determine whether Member States are required, under Article 6(1)(e) and Article 12(b), or under subsection (a) of the first subparagraph of Article 14 of Directive 95/46, to provide, for the natural persons referred to in Article 2(1)(d) and (j) of Directive 68/151, the right to apply to the authority responsible for keeping the register to erase or block the personal data entered in that register after a certain period of time, or to restrict access to it, it is first necessary to ascertain the purpose of that registration.
49 In that regard, it is apparent from the recitals and from the title of Directive 68/151 that the purpose of the disclosure provided for by that directive is to protect in particular the interests of third parties in relation to joint stock companies and limited liability companies, since the only safeguards they offer to third parties are their assets. To that end, the basic documents of the company concerned should be disclosed in order that third parties may be able to ascertain their contents and other information concerning the company, especially particulars of the persons who are authorised to bind the company.
50 The Court has already noted, moreover, that the purpose of Directive 68/151 is to guarantee legal certainty in relation to dealings between companies and third parties in view of the intensification of trade between Member States following the creation of the internal market and that, with that in mind, it is important that any person wishing to establish and develop trading relations with companies situated in other Member States should be able easily to obtain essential information relating to the constitution of trading companies and to the powers of persons authorised to represent them, which requires that all the relevant information should be expressly stated in the register (see, to that effect, judgment of 12 November 1974, Haaga, 32/74, EU:C:1974:116, paragraph 6).
51 Moreover, it is apparent from the case-law of the Court that the disclosure provided for in Article 3 of Directive 68/151 is intended to enable any interested third parties to inform themselves of these matters, without having to establish a right or an interest requiring to be protected. The Court noted, in that regard, that the very wording of Article 54(3)(g) of the EEC Treaty, on which that directive was based, refers to the need to protect the interests of third parties generally, without distinguishing or excluding any categories falling within the ambit of that term, and consequently the third parties referred to in that article cannot be limited in particular merely to creditors of the company concerned (see judgment of 4 December 1997, Daihatsu Deutschland, C‑97/96, EU:C:1997:581, paragraphs 19, 20 and 22, and the order of 23 September 2004, Springer, C‑435/02 and C‑103/03, EU:C:2004:552, paragraphs 29 and 33).
52 Furthermore, as to whether, in order to achieve the aim referred to in Article 3 of Directive 68/151, it is in principle necessary for the personal data of natural persons referred to in Article 2(1)(d) and (j) of that directive to remain on the register and/or accessible to any third party upon request also after the activity has ceased and the company concerned has been dissolved, it should be pointed out that the directive makes no express provision in that regard.
53 However, as the Advocate General also pointed out in points 73 and 74 of his Opinion, it is common ground that even after the dissolution of a company, rights and legal relations relating to it continue to exist. Thus, in the event of a dispute, the data referred to in Article 2(1)(d) and (j) of Directive 68/151 may be necessary in order, inter alia, to assess the legality of an act carried out on behalf of that company during the period of its activity or so that third parties can bring an action against the members of the organs or against the liquidators of that company.
54 Moreover, depending in particular on the limitation periods applicable in the various Member States, questions requiring such data may arise for many years after a company has ceased to exist.
55 In view of the range of possible scenarios, which may involve actors in several Member States, and the considerable heterogeneity in the limitation periods provided for by the various national laws in the various areas of law, highlighted by the Commission, it seems impossible, at present, to identify a single time limit, as from the dissolution of a company, at the end of which the inclusion of such data in the register and their disclosure would no longer be necessary.
56 In those circumstances, Member States cannot, pursuant to Article 6(1)(e) and Article 12(b) of Directive 95/46, guarantee that the natural persons referred to in Article 2(1)(d) and (j) of Directive 68/151 have the right to obtain, as a matter of principle, after a certain period of time from the dissolution of the company concerned, the erasure of personal data concerning them, which have been entered in the register pursuant to the latter provision, or the blocking of that data from the public.
57 That interpretation of Article 6(1)(e) and Article 12(b) of Directive 95/46 does not, moreover, result in disproportionate interference with the fundamental rights of the persons concerned, and particularly their right to respect for private life and their right to protection of personal data as guaranteed by Articles 7 and 8 of the Charter.
58 First, Article 2(1)(d) and (j) and Article 3 of Directive 68/151 require disclosure only for a limited number of personal data items, namely those relating to the identity and the respective functions of persons having the power to bind the company concerned to third parties and to represent it or take part in the administration, supervision or control of that company, or having been appointed as liquidator of that company.
59 Secondly, as pointed out in paragraph 49 of the present judgment, Directive 68/151 provides for disclosure of the data referred to in Article 2(1)(d) and (j) thereof, due, in particular, to the fact that the only safeguards that joint-stock companies and limited liability companies offer to third parties are their assets, which constitutes an increased economic risk for the latter. In view of this, it appears justified that natural persons who choose to participate in trade through such a company are required to disclose the data relating to their identity and functions within that company, especially since they are aware of that requirement when they decide to engage in such activity.
60 Finally, as regards subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, it must be pointed out that, whereas it follows from the foregoing that, in the weighting to be carried out under that provision, in principle, the need to protect the interests of third parties in relation to joint-stock companies and limited liability companies and to ensure legal certainty, fair trading and thus the proper functioning of the internal market take precedence, it cannot be excluded, however, that there may be specific situations in which the overriding and legitimate reasons relating to the specific case of the person concerned justify exceptionally that access to personal data entered in the register is limited, upon expiry of a sufficiently long period after the dissolution of the company in question, to third parties who can demonstrate a specific interest in their consultation.
61 In that regard, however, it should be pointed out that, in so far as the application of subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 is subject to the proviso that national law does not lay down a provision to the contrary, the final decision as to whether the natural persons referred to in Article 2(1)(d) and (j) of Directive 68/151 may apply to the authority responsible for keeping the register for such limitation of access to personal data concerning them, on the basis of a case-by-case assessment, is a matter for the national legislatures.
62 It is for the referring court to determine the provisions of its national law in that regard.
63 Assuming that such an examination reveals that national law permits such applications, it will be for the national court to assess, having regard to all the relevant circumstances and taking into account the time elapsed since the dissolution of the company concerned, the possible existence of legitimate and overriding reasons which, as the case may be, exceptionally justify limiting third parties’ access to the data concerning Mr Manni in the company register, from which it is apparent that he was the sole administrator and liquidator of Immobiliare Salentina. In that regard, it should be pointed out that the mere fact that, allegedly, the properties of a tourist complex built by Italiana Costruzioni, of which Mr Manni is currently the sole director, do not sell because of the fact that potential purchasers of those properties have access to that data in the company register, cannot be regarded as constituting such a reason, in particular in view of the legitimate interest of those purchasers in having that information.
64 In the light of all the foregoing considerations, the answer to the questions referred must be that Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, read in conjunction with Article 3 of Directive 68/151, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping the register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
Costs
65 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Second Chamber) hereby rules:
Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
[Signatures]
* Language of the case: Italian.
© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.
BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2017/C39815.html