Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
SduIn- en Uitvoer
Home

Judgment of the Court (Third Chamber) of 11 January 2024

Judgment of the Court (Third Chamber) of 11 January 2024

Data

Court
Court of Justice
Case date
11 januari 2024

Verdict

Judgment of the Court (Third Chamber)

11 January 2024(*)

"(Reference for a preliminary ruling - Approximation of laws - Protection of natural persons with regard to the processing of personal data and free movement of such data (General Data Protection Regulation) - Regulation (EU) 2016/679 - Point 7 of Article 4 - Concept of controller - Official journal of a Member State - Obligation to publish as they stand company documents prepared by companies or their legal representatives - Article 5(2) - Successive processing of the personal data contained in such documents by several separate persons or entities - Determination of responsibilities)"

In Case C‑231/22,

REQUEST for a preliminary ruling under Article 267 TFEU from the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium), made by decision of 23 February 2022, received at the Court on 1 April 2022, in the proceedings

État belge

v

Autorité de protection des données,

other party:

LM,

THE COURT (Third Chamber),

composed of K. Jürimäe, President of the Chamber, N. Piçarra, M. Safjan (Rapporteur), N. Jääskinen and M. Gavalec, Judges,

Advocate General: L. Medina,

Registrar: C. Strömholm, Administrator,

having regard to the written procedure and further to the hearing on 23 March 2023,

  1. after considering the observations submitted on behalf of:

    • the Autorité de protection des données, by F. Biebuyck, P. Van Muylder, avocates, and E. Kairis, advocaat,

    • the Belgian Government, by P. Cottin, J.-C. Halleux and C. Pochet, acting as Agents, and by S. Kaisergruber and P. Schaffner, avocats,

    • the Hungarian Government, by Zs. Biró-Tóth and M.Z. Fehér, acting as Agents,

    • the European Commission, by A. Bouchagiar, H. Kranenborg and A.-C. Simon, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 8 June 2023,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of point 7 of Article 4 and Article 5(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2 The request has been made in proceedings between the État belge (Belgian State) and the Autorité de protection des données (Data Protection Authority, Belgium; ‘the DPA’), which is the supervisory authority established in Belgium pursuant to Article 51 of the GDPR, concerning a decision by which that authority ordered the managing authority of the Moniteur belge, the official journal which ensures, in that Member State, the production and dissemination of a wide range of official and public publications in paper format and electronically, to give effect to the exercise, by a natural person, of his right to erasure in relation to a number of items of personal data contained in an act published in that official journal.

Legal context

European Union law

3 Points 2 and 7 of Article 4 of the GDPR provide:

‘For the purposes of this Regulation:

  1. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  1. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

…’

4 Article 5 of the GDPR states:

‘1.

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2.

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

5 Article 17 of the GDPR is worded as follows:

‘1.

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

3.

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

  1. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  1. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; …

…’

6 Pursuant to Article 26 of the GDPR:

‘1.

Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2.

The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3.

Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.’

7 Article 51 of the GDPR states, inter alia, that Member States must provide for one or more independent public authorities to be responsible for monitoring the application of that regulation.

Belgian law

8 Article 472 of the Loi-programme du 24 décembre 2002 (Programme-Law of 24 December 2002) (Moniteur belge, 31 December 2002, p. 58686) provides:

‘The Moniteur belge is an official publication produced by the Office of the Moniteur belge, which collates all the texts the publication of which in the Moniteur belge has been ordered.’

9 Article 474 of that programme-law states:

‘Publication in the Moniteur belge by the Office of the Moniteur belge shall be done in four printed paper copies.

One copy shall be stored electronically. The King shall determine the arrangements for electronic storage …’

10 Article 475 of that programme-law is worded as follows:

‘Otherwise, publications shall be made available to the public only through the website of the Office of the Moniteur belge.

The publications made available on this website shall be the exact reproductions in electronic format of the paper copies provided for in Article 474.’

11 Under Article 475a of that programme-law:

‘Any citizen may obtain a copy of the acts and documents published in the Moniteur belge at cost price from the services of the Moniteur belge, by means of a free telephone helpline. This service is also responsible for providing citizens with a document search help service.’

12 Article 475b of the Programme-Law of 24 December 2002 provides:

‘Other accompanying measures shall be taken by Royal Decree deliberated in the Council of Ministers in order to ensure the widest possible dissemination of and access to the information contained in the Moniteur belge.’

The dispute in the main proceedings and the questions referred for a preliminary ruling

13 In Belgium, a natural person held the majority of the shares in a private limited liability company. After the shareholders of that company decided to reduce its capital, the articles of association of that company were amended by a decision of its extraordinary general meeting of 23 January 2019.

14 In accordance with the code des sociétés (Companies Code), in the version resulting from the loi du 7 mai 1999 (Law of 7 May 1999) (Moniteur belge, 6 August 1999, p. 29440), an extract of that decision was prepared by the notary of that natural person before being sent on by that notary to the registry of the court having jurisdiction, namely the tribunal de l’entreprise (Business Court, Belgium) within the territorial jurisdiction of which that company has its seat. In accordance with the relevant legal provisions, that court sent that extract to the Office of the Moniteur belge for publication.

15 On 12 February 2019, that extract was published as it stood, that is to say, without checking its content, in the annexes to the Moniteur belge in accordance with the applicable legal provisions.

16 That extract contains the decision to reduce that company’s capital, the initial amount of that capital, the amount of the reduction in question, the new amount of the share capital and the new text of the articles of association of that company. It also contains a passage in which the names of the two partners of that company, including the name of the natural person referred to in paragraph 13 of the present judgment, the amounts reimbursed to them and their bank account numbers are indicated (‘the passage at issue in the main proceedings’).

17 Finding that his notary had erred in including the passage at issue in the main proceedings in the extract referred to in paragraph 14 of the present judgment even though that was not required by law, that natural person, through that notary and the notary’s data protection officer, took steps to have that passage deleted, in accordance with his right to erasure provided for in Article 17 of the GDPR.

18 The service public fédéral Justice (Federal Public Service Justice; ‘the FPS Justice’), to which the Office of the Moniteur belge is attached, refused, in particular by a decision of 10 April 2019, to grant such a request for erasure.

19 On 21 January 2020, that natural person lodged a complaint against the FPS Justice with the DPA seeking a declaration that that request for erasure was well founded and that the conditions for exercising the right to erasure laid down in Article 17(1) of the GDPR were satisfied.

20 By decision of 23 March 2021, the DPA sent a ‘reprimand’ to the FPS Justice and ordered it to comply with that request for erasure as soon as possible, at the latest within 30 days of notification of that decision.

21 On 22 April 2021, the Belgian State brought an action before the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium), which is the referring court, seeking annulment of that decision.

22 That court notes that the parties disagree as to how the concept of ‘controller’ in point 7 of Article 4 of the GDPR should be interpreted in the case in the main proceedings, since the personal data contained in the passage at issue in the main proceedings, the publication of which was not required by law, have been processed by several potential ‘successive’ controllers. Those are, first, the notary who drew up the extract containing the passage at issue in the main proceedings and inserted those data by mistake, second, the registry of the court at which that extract was subsequently lodged before being sent on to the Moniteur belge for publication and, third, the Moniteur belge, which, in accordance with the legal provisions governing its status and tasks, published that extract as it stood, that is to say, without any power to review or amend it, after receiving it from that court.

23 In that context, the referring court is uncertain whether the Moniteur belge can be classified as a ‘controller’ within the meaning of point 7 of Article 4 of the GDPR. If it can be so classified, and while noting that the parties to the main proceedings do not rely on the joint responsibility provided for in Article 26 of the GDPR, that court also seeks to ascertain whether the Moniteur belge must be regarded as solely responsible, under Article 5(2) of that regulation, for compliance with the principles laid down in Article 5(1) of that regulation, or whether that responsibility is also incumbent cumulatively on the public bodies that had previously processed the data contained in the passage at issue in the main proceedings, namely the notary who drew up the extract containing that passage and the Business Court within the territorial jurisdiction of which the private limited liability company concerned has its seat.

24 In those circumstances, the cour d’appel de Bruxelles (Court of Appeal, Brussels) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

  • Must [point 7 of] Article 4 … of the [GDPR] be interpreted as meaning that a Member State’s official [journal] – vested with a public task of publishing and archiving official documents, which, under the applicable national legislation, is responsible for publishing official documents whose publication is ordered by third-party public bodies, as they stand when received from those bodies after the latter have themselves processed the personal data contained in those documents, without the national legislature having granted the official [journal] any discretion over the content of the documents to be published or the [purposes] and means of publication – has the status of data controller?

  • If the answer to Question 1 is in the affirmative, must Article 5(2) of the [GDPR] be interpreted as meaning that only the official [journal] in question need comply with the data controller’s responsibilities under that provision, to the exclusion of the third-party public bodies which have previously processed the data contained in the official documents whose publication they are requesting, or are those responsibilities incumbent cumulatively on each of the successive controllers?’

Consideration of the questions referred

The first question

25 By its first question, the referring court asks, in essence, whether point 7 of Article 4 of the GDPR must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, which is inter alia required, under the law of that State, to publish as they stand official acts and documents that have been prepared by third parties under their own responsibility in compliance with the applicable rules, then lodged with a judicial authority that sends them to it for publication, may be classified as a ‘controller’ of the personal data contained in those acts and documents within the meaning of that provision.

26 As a preliminary point, it should be noted that the concept of ‘controller’, set out in point 7 of Article 4 of the GDPR, presupposes the existence of ‘processing’ of personal data, within the meaning of point 2 of Article 4 of that regulation. In the present case, it is apparent from the order for reference that the personal data contained in the passage at issue in the main proceedings were processed by the Moniteur belge. Even though the referring court does not set out the details of that processing, it is apparent from the concurring written observations of the DPA and the Belgian Government that those data were at the very least collected, recorded, stored, disclosed by transmission and disseminated by the Moniteur belge, such operations constituting ‘processing’ within the meaning of point 2 of Article 4 of that regulation.

27 With that preliminary point in mind, it must be recalled that, under point 7 of Article 4 of the GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law.

28 In that regard, it should be borne in mind that, according to the case-law of the Court, that provision is intended to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras , C‑683/21, EU:C:2023:949, paragraph 29 , and of 5 December 2023, Deutsche Wohnen , C‑807/21, EU:C:2023:950, paragraph 40 and the case-law cited).

29 Having regard to the wording of point 7 of Article 4 of the GDPR, read in the light of that objective, it appears that, in order to establish whether a person or entity is to be classified as a ‘controller’ within the meaning of that provision, it must be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it must then be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination.

30 In that regard, it must be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of point 7 of Article 4 of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned. The protection of those persons would be undermined if point 7 of Article 4 of the GDPR were interpreted restrictively to cover only those cases in which the purposes and means of the data processing performed by a person, a public authority, an agency or a body are expressly determined by national law, even where those purposes and means are apparent, in essence, from the legal provisions governing the activity of the entity concerned.

31 In the present case, first, the referring court states that, in the case in the main proceedings, the Moniteur belge does not appear to be vested by national law with the power to determine the purposes and means of the data processing operations that it performs, and the first question was referred on the basis of that premiss. Moreover, it is apparent from the concurring explanations of the DPA and the Belgian Government at the hearing that the public authority managing the Moniteur belge, namely the FPS Justice, does not appear to be vested by national law with such a power either.

32 Second, it is apparent from the documents before the Court that the personal data contained in the acts and documents sent to the Moniteur belge for publication are essentially collected, recorded, stored and published as they stand with a view to informing the public officially of the existence of those acts and documents and making them enforceable against third parties.

33 Moreover, it is apparent from the explanations provided by the referring court that the processing is performed essentially by automated means: in particular, the data concerned are reproduced on printed paper copies, one of which is stored electronically, the paper copies are reproduced in electronic format for the website of the Moniteur belge and a copy may be obtained through a telephone helpline also responsible for providing citizens with a document search help service.

34 It thus follows from the documents before the Court that Belgian law has determined, at least implicitly, the purposes and means of the processing of personal data performed by the Moniteur belge.

35 In those circumstances, it should be noted that the Moniteur belge may be considered, as an agency or body responsible for processing the personal data contained in its publications in accordance with the purposes and means of processing prescribed by Belgian law, to be the ‘controller’ within the meaning of point 7 of Article 4 of the GDPR.

36 That conclusion is not called into question by the fact that the Moniteur belge, as a subdivision of the FPS Justice, does not have legal personality. It is apparent from the clear wording of that provision that a controller may be not only a natural or legal person, but also a public authority, an agency or a body, and such entities do not necessarily have legal personality under national law.

37 Similarly, the fact that, under national law, the Moniteur belge does not check, prior to their publication in that official journal, the personal data contained in the acts and documents received by that official journal cannot have any bearing on the question whether the Moniteur belge may be classified as a controller.

38 While it is true that the Moniteur belge must publish the document in question as it stands, it is the Moniteur belge alone that undertakes that task and then disseminates the act or document concerned. The publication of such acts and documents without any possibility of checking or amending their content is intrinsically linked to the purposes and means of processing determined by national law, in that the role of an official journal such as the Moniteur belge is confined to informing the public of the existence of those acts and documents, as they stand when sent to that official journal in the form of copies in accordance with the applicable national law, so as to make them enforceable against third parties. Moreover, it would be contrary to the objective of point 7 of Article 4 of the GDPR, referred to in paragraph 28 of the present judgment, to exclude the official journal of a Member State from the concept of ‘controller’ on the ground that it does not exercise control over the personal data contained in its publications (see, by analogy, judgment of 13 May 2014, Google Spain and Google , C‑131/12, EU:C:2014:317, paragraph 34 ).

39 In the light of the foregoing, the answer to the first question is that point 7 of Article 4 of the GDPR must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, which is inter alia required, under the law of that State, to publish as they stand official acts and documents that have been prepared by third parties under their own responsibility in compliance with the applicable rules, then lodged with a judicial authority that sends them to it for publication, may, notwithstanding its lack of legal personality, be classified as a ‘controller’ of the personal data contained in those acts and documents, where the national law concerned determines the purposes and means of the processing of personal data performed by that official journal.

The second question

40 By its second question, the referring court asks, in essence, whether Article 5(2) of the GDPR must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of the GDPR, must be regarded as solely responsible for compliance with the principles set out in Article 5(1) of the GDPR or whether such compliance is incumbent cumulatively on that agency or body and on the third-party public entities that have previously processed the personal data contained in the acts and documents published by that official journal.

41 First of all, it should be recalled that, under Article 5(2) of the GDPR, the controller is to be responsible for compliance with the principles laid down in the form of obligations in paragraph 1 of that article and must be able to demonstrate compliance with those principles.

42 In the present case, it is apparent from the documents before the Court that the processing of the personal data at issue in the main proceedings that was entrusted to the Moniteur belge is both subsequent to the processing performed by the notary and by the registry of the court having jurisdiction and technically different from the processing performed by those two entities in that it is additional to it. The operations performed by the Moniteur belge are entrusted to it by national legislation and involve inter alia the digital transformation of the data contained in the acts or extracts of acts submitted to it and the publication, the making widely available to the public and the storage of those data.

43 Therefore, the Moniteur belge must be considered to be responsible, under Article 5(2) of the GDPR, for compliance with the principles set out in paragraph 1 of that article, as regards the processing that it is required to perform under national law, and, accordingly, with all the obligations imposed on the controller by the GDPR.

44 Next, in view of the referring court’s doubts as to whether such an official journal is solely responsible for those processing operations, it should be recalled that, as is apparent from the wording of point 7 of Article 4 of the GDPR, that provision provides not only that the purposes and means of the processing of personal data may be determined jointly by several persons as controllers, but also that national law may itself determine those purposes and means and nominate the controller or provide for the specific criteria for its nomination.

45 Thus, in connection with a chain of processing operations that are performed by different persons or entities and relate to the same personal data, national law may determine the purposes and means of all the processing operations performed successively by those different persons or entities in such a way that they are regarded jointly as controllers.

46 Furthermore, it should be recalled that Article 26(1) of the GDPR provides for joint responsibility where two or more controllers jointly determine the purposes and means of the processing of personal data. That provision also states that joint controllers must, by means of an arrangement between them, determine in a transparent manner their respective responsibilities for compliance with the obligations under that regulation, unless and in so far as the respective responsibilities of the controllers are determined by EU or Member State law to which the controllers are subject.

47 It is thus apparent from that provision that the respective responsibilities of joint controllers of personal data do not necessarily depend on the existence of an arrangement between the various controllers (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras , C‑683/21, EU:C:2023:949, paragraphs 44 and 45 ), but may stem from national law.

48 In addition, the Court has held, first, that it is sufficient that a person exerts influence over the processing of personal data, for his, her or its own purposes, and participates, as a result, in the determination of the purposes and means of that processing in order for him, her or it to be regarded as a joint controller and, second, that the joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned (see, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras , C‑683/21, EU:C:2023:949, paragraphs 40 to 43 and the case-law cited).

49 It follows from paragraphs 44 to 48 of the present judgment that, under the combined provisions of Article 26(1) and point 7 of Article 4 of the GDPR, the joint responsibility of several actors in a processing chain concerning the same personal data may be established by national law provided that the various processing operations are linked by purposes and means determined by national law and that national law determines the respective responsibilities of each of the joint controllers.

50 It should be made clear that such a determination of the purposes and means linking the various processing operations performed by several actors in a chain and of their respective responsibilities may be made not only directly but also indirectly by national law, provided that, in the latter case, it can be inferred in a sufficiently explicit manner from the legal provisions governing the persons or entities concerned and the processing of the personal data that they perform in connection with the processing chain imposed by that law.

51 Last, and so far as is relevant, it must be stated that, in the event that the referring court concludes that the agency or body responsible for the Moniteur belge is not solely responsible, but jointly with others, for compliance with the principles set out in Article 5(1) of the GDPR as regards the data contained in the passage at issue in the main proceedings, such a conclusion in no way prejudges the question whether, in the light of, inter alia, the exceptions set out in Article 17(3)(b) and (d) of the GDPR, the request for erasure submitted by the natural person referred to in paragraph 13 of the present judgment should be granted.

52 In the light of the foregoing considerations, the answer to the second question is that Article 5(2) of the GDPR, read in conjunction with point 7 of Article 4 and Article 26(1) thereof, must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of that regulation, is solely responsible for compliance with the principles set out in Article 5(1) thereof as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.

Costs

53 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Third Chamber) hereby rules:

  1. Point 7 of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

    must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, which is inter alia required, under the law of that State, to publish as they stand official acts and documents that have been prepared by third parties under their own responsibility in compliance with the applicable rules, then lodged with a judicial authority that sends them to it for publication, may, notwithstanding its lack of legal personality, be classified as a ‘controller’ of the personal data contained in those acts and documents, where the national law concerned determines the purposes and means of the processing of personal data performed by that official journal.

  2. Article 5(2) of Regulation 2016/679, read in conjunction with point 7 of Article 4 and Article 26(1) thereof,

    must be interpreted as meaning that the agency or body responsible for the official journal of a Member State, classified as a ‘controller’ within the meaning of point 7 of Article 4 of that regulation, is solely responsible for compliance with the principles set out in Article 5(1) thereof as regards the personal data processing operations that it is required to perform under national law, unless joint responsibility with other entities in respect of those operations arises under that law.

[Signatures]