- The ECJ rules that the name, signature and contact details of representatives of legal entities are personal data and their disclosure constitutes processing under the GDPR.
- The GDPR (Art. 6 para. 1 lit. c and e) permits official acts of disclosure, Art. 86 GDPR permits national rules on the coordination of the right of publicity and data protection.
- Member States may inform and consult interested parties before disclosure, provided that this is practicable and does not cause disproportionate effort or restriction of access.
In Case C‑710/23 the ECJ had to rule on the question of whether information on the representatives of legal persons in the disclosure of official documents is subject to the protection of the GDPR under national freedom of information law (right of public access). Specifically, the case concerned a Access request to the Ministry of Health for information on persons who had signed contracts concluded by the Ministry for the purchase of Covid-19 tests and certificates for these tests. The Ministry had redacted the details of these signatories before disclosing the contracts.
Definition of the processing of personal data
Unsurprisingly, the ECJ initially clarifies that Name, signature or contact details of a natural person are “personal data” even if they are only disclosed to document the power of representation, and the disclosure of these data as part of an information access procedure is a “processing”. The GDPR therefore applies to this disclosure:
31 In the light of the foregoing, the answer to the first question is that Article 4(1) and (2) GDPR must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data. The fact that the disclosure is made for the sole purpose of enabling the identification of the natural person authorized to act on behalf of the legal person is irrelevant in this respect.
Relationship to the right of publicity
In addition, Member States may provide that data subjects must be informed and, if necessary, consulted before their data is disclosed in official documentseven beyond the GDPR (the GDPR itself would probably permit this disclosure here, on the basis of Art. 6 (1) (c) and (e)). This authorization is based on Art. 86 GDPR:
Personal data contained in official documents held by a public authority or body or by a private body for the performance of a task carried out in the public interest may be disclosed by the public authority or body in accordance with Union law or the law of the Member State to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data under this Regulation.
This concerned the case law of the Czech Supreme Administrative Court, according to which authorities must notify the persons concerned and obtain their opinion before disclosing personal data as part of an information access procedure. Such regulations must not, however, make disclosure impossible.where the GDPR permits it, e.g. if consultation would not be feasible by reasonable means:
48 In the light of the foregoing, the answer to the second question is that Article 6(1)(c) and (e) of the GDPR, read in conjunction with Article 86 thereof, must be interpreted as not precluding national legislation which prohibits a controller which is a public authority from exercising the right of public access to data. c and e GDPR, read in conjunction with Article 86 thereof, must be interpreted as not precluding national case-law which requires a controller, which is a public authority required to reconcile the public’s right of access to official documents and the right to the protection of personal data, to inform and consult the natural person concerned before disclosing official documents containing such data, insofar as such an obligation is not impossible to fulfill is or a disproportionate effort and therefore does not lead to a disproportionate restriction of the public’s right of access leads to these documents.
This second part of the ruling is surprising insofar as the GDPR does not regulate the principle of public access and does not provide a right of access to official documents, but at most restricts this access to a greater or lesser extent. In this respect, national regulations that restrict or even exclude access to a greater extent for data protection reasons cannot actually violate the GDPR.