Data protection vs. transparency: Federal Court of Justice sets new limits for public registers

Review of judgement: Federal Court of Justice, decision of 4 June 2024 - II ZB 10/23

In June 2024, the Federal Court of Justice (Bundesgerichtshof, BGH) ruled that a former chairman of the board of an association can demand 20 years after his departure from said association that his personal data - such as his name, date of birth and place of residence - are only restrictedly accessible in the register of associations (BGH, decision of 4 June 2024 - II ZB 10/23). In theory, this decision strengthens the rights of board members of associations.

The case concerned a former chairman of the board of a data protection association who objected to the permanent availability of his personal data in the register portal of the register of associations, having already left his office two decades ago.

Similar to the commercial register for partnerships and corporations, the purpose of the register of associations is to inform the public about registered associations that do not pursue an economic purpose. Besides general information about the association and the representation relationships, the register also contains personal information such as the name, date of birth and place of residence of the board members.

The register of associations is fundamentally accessible to anyone without restriction via the electronic register portal. Even if the information is no longer up-to-date, for example when a board member has left, this data is not deleted or made unrecognisable. Outdated information is merely highlighted in colour and thus remains accessible to the public.

The Federal Court of Justice ruled that data subjects can request the restriction of access to their data in individual cases under Art. 17 (1) lit. d GDPR. Although the BGH emphasises the importance of the information and publicity function of the register, it stipulates that the processing of the data in the register must be appropriate in relation to these protectable interests (Art. 6 (3) sentence 4 GDPR).

Although the data made available in the register cannot be classed as particularly sensitive, its unrestricted availability leads to a serious loss of control. Over time, the public interest in the information diminishes after the person concerned has left the association, with the result that the unrestricted provision of such information may be inappropriate in individual cases. Whether or not this is the case must be individually assessed.

In the grounds for the decision, the BGH refers to retention and limitation periods and suggests that a restriction is generally not justified within the first ten years of a board member leaving the association. The BGH also refers to the association’s purpose, which did not indicate a broader public interest in the case at hand. The fact that the applicant had himself arranged for the data to be made available on the internet cannot be held against him in this case as, at the time of his application, it was not yet envisaged that the data would be made available in the electronically accessible register portal. However, this does not give rise to a claim to the complete deletion of the data. The continued interest in the individual case justifies the continued storage of the data.

As a consequence, the generally unrestricted right to inspect the register of associations is being restricted. In cases such as this, access to the data can only be requested if a legitimate interest is demonstrated.

It remains to be seen how case law will concretise the assessment of individual cases in the future. For example, the decision did not address the question of the extent to which, in addition to the purpose of the association, its size, scope and resulting actual participation in legal transactions influence the public interest. A greater participation in legal and commercial transactions will doubtlessly speak in favour of a longer-term public interest.

It remains unclear how exactly the restriction of access to data contained in the register of associations is going to be implemented in practice. Even months after the decision, the data can still be accessed without restriction - there has been no practical implementation of the judgement. The German Association for Data Protection (Deutsche Vereinigung für Datenschutz e.V., DVD) announced in its press release of 17 February 2025 that, after a corresponding enquiry to the registry court, that the latter simply lacked the technical possibilities and requirements to implement the ruling of the Federal Court of Justice (in the register portal of the federal states). Another factor to be taken into account here is that historical data originating from the time prior to the switch to electronic register management is usually stored as scans of the old paper registers, which naturally makes their redaction more difficult.

Whether and to what extent this decision can be transferred to other registers remains to be seen. The data protection principles of the decision apply generally and therefore also to other registers. Here as well, the legitimate interest of the data subjects in protecting their data must be reconciled with the public's interest in receiving information.

However, the BGH has made it clear that this has to be assessed on a case-by-case basis. The BGH therefore also included the association’s purpose in its assessment. Due to the fundamentally stronger economic orientation of companies listed in the commercial register and company register, the public interest in accessing personal data could be assessed as more important and justify a different decision. It also remains to be seen what impact this will have if the person in question was only appointed to an executive body after the introduction of the electronically accessible register portal.

Oppenhoff can advise you on all issues relating to the protection of your own privacy and that of your family, and will be happy to support you in analysing, monitoring and avoiding publicly accessible data as part of your family risk and privacy management. Recently, we provided extensive information on the general risks associated with transparency obligations of relevance to high net-worth individuals and entrepreneurs in the article "Transparency obligations and public registers: When the transparency of companies and high net-worth individuals becomes  dangerous". 

Back to list