No right to be forgotten in respect of personal data in company registers
The CJEU has ruled (Case C-398/15) that there is no general right to be forgotten in respect of personal data in a companies register. However, upon expiry of a sufficiently long period after dissolution of a company, Member States may provide for restricted access to such data by third parties in exceptional cases. The CJEU’s decision is in line with its ruling in Google Spain (Case C-131/12) that the right to be forgotten is not absolute, and will always need to be balanced against other fundamental rights.
Mr Manni, a company director, claimed that he was unable to sell properties in a tourist complex in Italy because it was clear from his local companies register that he had been the administrator of another company that went bankrupt in 1992 and was wound up in 2005. Mr Manni challenged the availability of his personal data before his local courts. The Italian Court asked the CJEU whether the Data Protection Directive (95/46/EC) and the Company Law Directive (68/151/EEC) (Articles 2(1)(d)(j) and 3) determine whether personal data recorded in the Company Register can, after a period of time and upon request of the interested person, be deleted, made anonymous, blocked or made available only to certain third parties who have a legitimate interest in accessing such data.
The CJEU ruled that Member States cannot guarantee that individuals, whose data are included in the company register, have the right to obtain erasure of personal data concerning them, or the blocking of that data, upon the expiry of a certain period of time from the dissolution of the company. The CJEU noted that the public nature of company registers is intended to ensure legal certainty in dealing between companies and third parties and to protect the interests of third parties, since the only safeguards they offer to third parties are their assets. The CJEU also noted that matters requiring the availability of personal data in the companies register may arise for many years after a company has ceased to exist. Having regard to the range of legal rights and the diversity of limitation periods provided by the various national laws, the CJEU found it impossible to identify a single period after which the entry of data in the register and their disclosure would no longer be necessary.
The CJEU further found that the interference with the rights of individuals, guaranteed by the Charter of Fundamental Rights of the Union, was not disproportionate in so far as (1) only a limited amount of personal data are entered in the company register, and (2) it is justified that individuals who choose to participate in trade through a joint stock or limited liability company, whose only safeguards for third parties are the assets of that company, should be required to disclose data relating to their identity and functions within that company.
However, the CJEU did not exclude the possibility that in specific situations, there might be overriding and legitimate reasons that would justify limiting access to personal data entered in the register. Such limitations would only occur exceptionally, upon expiry of a sufficiently long period after the dissolution of the company in question. Furthermore, the register would still have to allow access to third parties who can demonstrate a specific interest in consulting the data. The CJEU held that it is for each Member State to decide if it wants such a limitation of access in its national legal system. In the present case the CJEU considered that the circumstances did not justify limitation of access, given the legitimate interest of the potential purchasers in availing of the information in the register.
his article was first published on the Ireland IP & Technology Law Blog on 10 March 2017.
For further information please contact Davinia Brennan.