Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Company law and corporate governance: interconnection of central, commercial and company registers

2011/0038(COD)

Opinion 2011/C 220/01 of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council amending Directives 89/666/EEC, 2005/56/EC and 2009/101/EC as regards the interconnection of central, commercial and companies registers conclusions.

The EDPS supports the objectives of the Proposal, and makes the following points:

Essential data protection safeguards should be set forth in the proposal itself and should not be left for delegated acts: the text requires disclosure of the appointment, termination of office and particulars of the persons who are (i) authorised to represent the company and/or (ii) are otherwise involved in the company’s administration, supervision or control. This is not a new requirement in Member States – the novelty of the proposal is that the information which has thus far been available in a fragmented manner, often only in local languages and via local websites, will now be easily accessible, via a common European platform/access point, in a multilingual environment. The proposal leaves all further details to delegated acts.

The EDPS emphasises that the necessary data protection safeguards should be clearly and specifically provided for directly in the text of the Directive itself, since he considers them essential elements. Among the privacy risks present (due to easy availability of the data in digital form over a common electronic access point) are identity theft and other criminal activities, as well as the risk that the information disclosed may be unlawfully harvested and used by companies for commercial purposes that were not foreseen initially, after profiling the individuals concerned. Without adequate safeguards, the information may also be sold to others, or combined with other information and sold back to governments to be used for unrelated and undisclosed purposes (e.g. for tax law enforcement or other criminal or administrative investigations) without an adequate legal basis. For these reasons, it must be carefully assessed what personal information should be made available via the common European platform/access point, and what additional data protection safeguards — including technical measures to restrict search or download capabilities and data mining — should apply. Additional provisions regarding the implementation of specific safeguards can be set forth in delegated acts.

The EDPS goes on to state that the issues of governance, roles, competences, and responsibilities need to be addressed in the proposed Directive, rather than ibn the delegated acts. To this end, the proposed Directive should establish:

  • whether the electronic network will be operated by the Commission or by a third party and whether it will have a centralised or decentralised structure;
  • the tasks and responsibilities of each party involved in the data processing and the governance of the electronic network, including the Commission, Member State representatives, the holders of business registers in Member States and any third parties;
  • specific and unambiguous elements to determine whether a particular actor should be regarded as a ‘controller’ or as a ‘processor’.

Legal basis: according to the EDPS, any data exchange or other data processing activity using the electronic network (e.g. public disclosure of personal data via the common platform/ point) should be based on a binding EU act adopted on a solid legal basis. This should be clearly laid down in the proposed Directive. 

Applicable law: since it is possible that the Commission or another EU institution/body may also process personal data in the electronic network (e.g. by acting as an

operator of the network, or by retrieving personal data from it), a reference should also be made to Regulation (EC) No 45/2001.It should also be clarified that Directive 95/46/EC applies to the business registers as well as other parties acting under their national laws in Member States, whereas Regulation (EC) No 45/2001 applies to the Commission and other EU institutions and bodies.

Transfer of personal data to third countries: the proposal should clarify that in principle, and with the exception of cases falling under Article 26(1)(f) of Directive

95/46/EC, transfers can only be made to a third country that does not afford adequate protection if the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regard the exercise of the corresponding rights. Such safeguards may in particular result from appropriate contractual clauses in place under Directive 95/46/EC. Further, the Commission should assess what technical and organisational measures to take to ensure that privacy and data protection are designed into the architecture of the electronic network (‘privacy by design’) and that adequate controls are in place to ensure data protection compliance and provide evidence thereof (‘accountability’).

Other recommendations of the EDPS include:

  • the proposed Directive should clearly specify that the electronic network should enable (i) on one hand, specific manual data exchanges between business registers; and, (ii) on the other hand, automated data transfers. The proposal should also be modified to ensure that (i) delegated acts will comprehensively cover both manual and automated data exchanges and (ii) all processing operations that may involve personal data (not only storage and retrieval); and that (iii) specific data protection provisions in delegated acts will ensure the practical application of relevant data protection safeguards;
  • the proposal should modify Article 2 of Directive 2009/101/EC to clarify what, if any, personal data, in addition to the names of the individuals concerned are required to be disclosed. It should be also clarified whether data regarding shareholders are required to be disclosed. In doing so, the need for transparency and accurate identification of these individuals should be carefully considered but must also be balanced against other competing concerns such as the need to protect the right to the protection of personal data of the individuals concerned;
  • it should be clarified in the proposal whether Member States may eventually publicly disclose more information via the common portal (and/or exchange more information with each other) based on their own national laws, subject to additional data protection safeguards;
  • the proposed Directive should specifically provide that personal data that have been made available for purposes of transparency will not be misused for additional, unrelated purposes and that to this effect, technological and organisational measures should be implemented, following the principle of privacy by design.

Lastly, the proposal should also include specific safeguards with respect to notice provision to data subjects as well as a requirement to develop the modalities of an arrangement to enable data subjects to make use of their rights in delegated acts.