Online commercial register not compatible with EU data protection law

Now a legal opinion suggests shutting down the online commercial register until the problems are solved: “Until a data protection-compliant new regulation and redesign of the online portal is to be discontinued, its operation in its current form,” says the short report, which is available to the Handelsblatt.

The current design of the portal, with its “undifferentiated and de facto uncontrolled making publicly available, including documents with some very sensitive personal data”, is incompatible with EU data protection law. The expertise comes from Benedikt Buchner, who is a professor for the law of digitization at the University of Augsburg. Buchner prepared his report on behalf of the association “Die Familienunternehmer”.

Many entrepreneurs are in turmoil because since August 1st the common register portal of the federal states without user registration and retrieval fees it is possible to view and save excerpts from the commercial register and notarial entries such as documents. The legal basis is the law that implements the EU Digitization Directive (DiRUG). The company leaders fear misuse of the data.

Top jobs of the day

Find the best jobs now and
be notified by email.

According to the legal opinion, the design of the online portal violates the principle of proportionality because the encroachment on the fundamental rights to privacy and data protection is not limited to what is “absolutely necessary”. These would be guaranteed by the European Union’s Charter of Fundamental Rights, which was also “repeatedly expressly reflected” in the General Data Protection Regulation (GDPR).

The report states: “If all information and documents that were previously submitted to decentralized registers that were only accessible with a certain amount of effort can now be accessed online for everyone without differentiation and without access restrictions via the portal, there is no restriction to the absolutely necessary.”

This applies in particular for data such as private addresses, bank details, signatures or copies of ID cardswhich open up particular potential for data misuse, identity theft and other criminal offenses and which have so far also been freely accessible via the online portal.

Expert refers to the European Court of Justice

The current design of the online commercial register cannot be justified with the new requirements of the digitization directive either. This does not prescribe the publication of data to the extent that is currently practiced via the online portal, nor is public access to be equated with unrestricted access, as is currently characteristic of the online portal.

In his short report, legal expert Buchner refers to the case law of the European Court of Justice (ECJ): “In its decisions, the ECJ has repeatedly emphasized that particularly in the case of publications which ultimately lead to all persons who have access to the Internet also having access to the published data is possible, particularly strict requirements must be applied to the proportionality of the data publication.”

These requirements also apply to the online commercial register.

Marco Buschmann (FDP)

New access to the online commercial register means that entrepreneurs’ sensitive data can be viewed freely. The Federal Minister of Justice wants to intervene.

(Photo: Reuters)

Although the goal of the portal is easy access for investors, stakeholders, business partners and authorities to information about companies to create in the public interest. From the point of view of the ECJ, however, it is problematic that a potentially unlimited number of people can view the sensitive data.

Initially, no statement could be obtained from the Federal Ministry of Justice. However, data protection in the commercial register is on the agenda of the conference of justice ministers, which will take place in Berlin on Thursday.

Does the portal have to be shut down?

Legal expert Buchner assumes that a differentiated design of the register “would have been associated with a considerable amount of additional time, administrative and financial effort, which the bodies entrusted with implementation might not have been able to afford in good time with the funds available to them”.

However, the ECJ made it unmistakably clear that the insufficient resources of public authorities can never constitute a legitimate reason to justify an encroachment on the fundamental rights to privacy and data protection.

>> Read also: Lists of shareholders, places of residence and signatures online: New commercial register alarms entrepreneurs

According to the expert opinion, the operation of the online portal must be discontinued until a new regulation is found. The previous unlawfulness of the portal could therefore not be compensated for by the data subjects being asked to make use of their deletion or revocation rights. However, this has been the case so far: Most recently, the Ministry of Justice of North Rhine-Westphalia (NRW), which is responsible for operating the register portal, asked complainants to contact the responsible register courts in order to check entries and, if necessary, have them deleted.

The legal opinion states: Ensuring legally compliant data processing is not the task of those affected, but of the authority responsible for data processing – in this specific case the NRW Ministry of Justice.

NRW data protection officer should ban registers

According to the expert, if the ministry remains inactive, the supervisory authority responsible for compliance with the GDPR must intervene. The NRW data protection officer Bettina Gayk is therefore obliged to take appropriate measures if a data protection violation is recorded.

The report states: “Remedial measures range up to a complete ban on data processing if the responsible bodies are currently unable to operate the online portal in a legally compliant manner with graduated inspection options.”

The case is clear for the president of the association “Die Familienunternehmer”, Reinhold von Eben-Worlée: “As long as all stored data has not been evaluated for compatibility with the GDPR, the portal must be taken offline.”

More: The administrative madness from A to Z – and what helps against it

Source link