Today, 11 January 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in the case C-231/22, Belgian State (Données traitées par un journal officiel).
In this case, in addition to the legally required content, the personal data of the partners of a company were published in the Moniteur belge (the Belgian Official Journal).
The CJEU adopts the position of the Advocate General, who issued her Opinion in June 2023.
The Court ruled that the body responsible for the Official Journal, which has a legal obligation to publish as such official acts and documents drawn up by third parties and then submitted to a judicial authority which sends them to it for publication, can be qualified as controller of personal data contained in those acts and documents, despite its lack of legal personality, if the relevant national law determines the purposes and means of the processing of personal data carried out by that Official Journal.
In line with the previous findings of the Advocate General, the CJEU explained that it is possible for an entity to be implicitly designated as a controller by the law. This is the case when it results with sufficient certainty from the role, tasks and powers conferred on an authority that it determines the purposes and means of the processing in question (see para. 30). In this case, the Court held that the Belgian law has, at least implicitly, determined the purposes and means of the processing of personal data carried out by the Belgian Official Journal when publishing acts and documents.
Thus, in line with the Advocate General’s opinion, which emphasized that the absence of a decisive influence over the processing of personal data is not sufficient to exclude the possibility that an entity may still qualify as a controller, the CJEU concluded that the Belgian Official Journal should be qualified as a controller.
The fact that the Belgian Official Journal has no legal personality and no control over the content of the acts and documents published has no impact on its qualification from a data protection perspective (see para 36 and 37).
Finally, the CJEU also stated that the body responsible for the Official Journal, qualified as a “data controller”, is solely responsible for compliance with data protection requirements in relation to the processing operations of personal data which it is obliged to carry out under the law, unless a joint responsibility with other entities in relation to those operations results from the law.
The judgment of the CJEU is available here (currently available only in French).