Transparency obligations and public registers: when the transparency of companies and high net-worth individuals becomes dangerous

The (European) legislator is constantly promoting the "transparency" of companies. Due to diverse transparency obligations and public registers, a family business can already be subject to various statutory disclosure obligations. This can mean that practically anyone is able to view not only the company's data, but also the data of the private individuals behind it.

Which data are currently public and are there ways to restrict access to the data? We answer these questions, highlight the resulting security risks for family entrepreneurs and high net-worth individuals and show ways to minimise these risks.

This article was produced in co-operation with EPP equity protection partners (epp GmbH).

What disclosure obligations exist in the various registers?

1. Commercial register (Handelsregister)

In addition to comprehensive information on companies and their documents, such as the articles of association, data on private individuals can also be viewed in the commercial register: First and last names, dates of birth and places of residence (excluding street and house number) of all shareholders of the shareholders of a GmbH (so-called list of shareholders), the managing directors of a GmbH, the members of the management board of an AG and their supervisory board members must be stated and thus disclosed. The occupation of supervisory board members also has to be disclosed.

As the commercial register also files the documents accompanying the applications in the public register file (e.g. the corresponding notarial deed), it is often possible to view the private residential addresses or even serial numbers of identity documents or bank account details here.

These documents and data are freely accessible to everyone. There is no need to demonstrate a legitimate interest in accessing them. Since 1 August 2022, there are no longer any fees for retrieving documents from the commercial, partnership, cooperative and association registers. Verification of the person accessing the documents in the form of a registration requirement has also been abolished. This has led to masses of documents being automatically downloaded from the commercial register, which has been widely criticised by data protectionists.

Unlike in other registers, the information to be provided in the commercial register fundamentally cannot be restricted in order to protect commercial transactions. The Federal Court of Justice (Bundesgerichtshof, BGH) has left open the question of whether exceptions are possible in the event of a specific risk to the natural person shown in the commercial register, but strong voices in the legal literature have affirmed this.

The nationwide amendment to the Official Regulations for Notaries (Dienstordnung für Notarinnen und Notare, DONot) and the Commercial Register Ordinance (Handelsregisterverordnung, HRV) in June 2023 has brought a slight improvement: a residential address (street and house number) need not be stated in notarial deeds if its omission is necessary to protect vulnerable parties or their household members. In special cases, the place of residence may also be omitted. Insofar as the document is transmitted to the commercial register, the addresses may also be omitted in cases where there is no danger to the parties as long as any doubts and confusion are ruled out. Instead of the residential address and place of residence of natural persons, a business or office address and the place of business or office may be stated.

In documents that are sent to the commercial register in a publicly certified form, residential addresses, serial numbers of identity documents and bank account details are no longer to be included. Documents containing such information that are already included in the register file can be replaced. This is applied for by the notary by submitting a "rectified" document. It remains unclear whether and under what conditions a right to the exchange of documents exists. We will have to await further developments and case law in this regard.

2. Transparency register (Transparenzregister)

Companies and comparable legal structures such as foundations are obliged to publish certain information on beneficial owners in the transparency register and to update it on an ongoing basis. Violations of these compliance obligations can result in a fine. Under certain circumstances, foreign companies are also affected by these transparency obligations. Conversely, corresponding transparency obligations also exist abroad.

Beneficial owners are natural persons who ultimately own or control a company. The most common case is the direct or indirect holding of more than 25% of the capital shares or voting rights in a company. The information on the beneficial owner includes the first name and surname, date of birth, place of residence, all nationalities and the type and scope of the economic interest (Section 19 (1) of the German Money Laundering Act (Geldwäschegesetz, GwG)).

As regards the conditions and scope of access to the transparency register, the Money Laundering Act differentiates between various groups of parties accessing the information. For example, authorities may access all information on beneficial owners, but only to the extent necessary to fulfil their statutory duties.

The 5th EU Money Laundering Directive initially stipulated that "all members of the public" should be entitled to inspect the transparency register. However, the European Court of Justice put a stop to this in its ruling of 22 November 2022 (joined cases C-37/20 and C-601/20) and declared the regulation invalid, citing a violation of the EU Charter of Fundamental Rights (see article of 8 December 2022). Since December 2022, public access to the register has therefore depended on the demonstration of a legitimate interest. According to the explanatory memorandum to the law, a legitimate interest exists if a "connection to the prevention and combating of money laundering, related predicate offences such as corruption and terrorist financing can be clearly demonstrated." As examples, the explanatory memorandum cites non-governmental organisations that are committed to combating money laundering, its predicate offences and terrorist financing or specialist journalists whose “investigation serves to prepare a serious and fact-related debate” of the aforementioned topics.

The inspection of the personal data of the beneficial owner listed in the transparency register may be restricted at the beneficial owner’s request if the inspection conflicts with an overriding protectable interest of the beneficial owner. According to Section 23 (2) sentence 2 no. 1 GwG, a protectable interest exists if the inspection would expose the beneficial owner to the risk of becoming a victim of fraud, abduction for the purpose of extortion, hostage-taking, extortion (with use or threat of force), a criminal offence against life and limb, coercion or a threat, or according to Section 23 (2) sentence 2 no. 2 GwG if the beneficial owner is a minor or legally incompetent. A protectable interest does not exist in particular if the personal data can already be viewed in another public register. However, in this case the protectable interest must outweigh the interest in inspection in the individual case.

In clarification, please note that the restriction option does not apply to courts, authorities and individual persons obliged to carry out money laundering checks.

In practice, restricting access involves considerable effort and difficulties. The beneficial owner’s interest must be proven in detail. This usually requires that a comprehensive security analysis be carried out, which provides information about the financial and family circumstances of the person concerned and shows the extent to which they are known to the public to date. The risk situation must be presented as precisely as possible, usually on the basis of general information concerning the risk to political and economic decision-makers such as the person concerned (e.g. on the basis of political studies on the political climate, evaluation of crime statistics) and additional information on the specific risk to the person concerned (e.g. presentation of past incidents relating to the person concerned or persons close to them, the extent of the person's wealth). An acute security situation in the beneficial owner's country of residence and the resulting risk of becoming a victim of a criminal offence also have a positive impact on an inspection restriction being granted.

The application is made more difficult by the fact that the transparency register generally rejects a "pre-filing", i.e. an advance submission of the draft application and discussion of this draft and its prospects of success. Rather, an examination is only made after the application has been submitted. After receipt of the application, the data for inspection is provisionally blocked for the duration of the examination. If the application is rejected, the temporary block remains in place until this decision becomes final. Thereafter, access is possible without restriction and the private data can therefore be retrieved. It is therefore all the more important that the formal application is well prepared. A corresponding security analysis and/or police categorisation is therefore essential.

Requests made to the transparency register always relate to a legal entity. It is not possible to request an overview of the shareholdings of natural persons. Even if the residential address itself cannot be identified via the transparency register, conclusions can be drawn about a person's wealth via the capital shares. In particular, a request can lead to the loss of anonymity of shareholders or heirs who are unknown to the public. Among other things, some media have taken it upon themselves to categorise wealthy individuals in so-called rich lists. Among other things, this entails the risk of these individuals becoming a victim of criminal offences such as fraud, extortion (with use or threat of force) or even abduction for the purpose of extortion, hostage-taking, criminal offences against life and limb, coercion or threats.

3. Foundation directory (Stiftungsverzeichnis)

To date, each federal state has had its own foundation directory for foundations with legal capacity. For example, the Foundation Act for North-Rhine Westphalia (Stiftungsgesetz NRW, StiftG NRW) (Section 10 StiftG NRW) stipulates that the following information must be entered in the electronic foundation directory: name, registered office and purposes of the foundation as well as the address of the head office, the authorised representative bodies and persons of the foundation, the nature of their power of representation, the date of its recognition as a foundation with legal capacity and the responsible foundation authority.

A nationwide foundation register is being introduced as of 1 January 2026, with the result that the regulations under federal state foundation law will cease to apply. A wide range of information will then have to be entered in the foundation register, including the first name and surname, date of birth, place of residence and the power of representation of the board members and special representatives. The articles of association will also have to be attached to the application to the foundation register.

In accordance with Section 19 no. 4 StiftRG, which has already come into force, the Federal Ministry of Justice and Consumer Protection (Bundesministerium der Justiz und für Verbraucherschutz) can issue more detailed provisions by ordinance on the procedure for inspecting the register and the register files, including regulations on restricting or excluding access to documents submitted to the foundation register. To date, however, no restriction on inspection has been proposed. Rather, the creation of particularly easy access for citizens has been discussed in order to make it easier for interested citizens to inspect the register.

It remains to be seen how the law will develop. Foundations should pay attention, possibly already when drawing up their articles of association, to what data they mention in their articles with a view to their being made public at a later date. To date, for example, family foundations in particular often include in the articles of association personal details about individual family members or the founder, which should be omitted if possible. In case of existing foundations, foundation documentation can still be amended until 2026, if necessary, in order to account for this. The foundation supervisory authorities are generally open to such amendments, but should always be contacted in advance.

4. Land register (Landregister)

The land register also contains personal data.

If a natural person is entered in the land register as the beneficiary, the first name and surname, date of birth and, if evident from the registration documents, academic degrees and previous surnames must be stated. If the date of birth is not evident from the registration documents and is not otherwise known to the land registry, the place of residence of the beneficiary should also be stated.

If a legal entity or a partnership with legal capacity is the beneficiary in the land register, the name or company name, the registered office, the register court and the register page of the entry in the respective register (commercial, cooperative, company, partnership or association register) must be disclosed.

Pursuant to Section 12 (1) sentence 1 of the German Land Registry Code (Grundbuchordnung, GBO), an inspection is permissible for anyone who can demonstrate a legitimate interest. This is to be understood as any reasonable interest that is justified by the circumstances, whereby the protectable interests of the registered beneficiary must be taken into account.

Due to the lack of a centrally accessible land register, the risk of the land register being made public is lower than with other registers. However, as soon as the local court at which the land register is kept is known, there is a risk that the individual property, including (residential) address, can be determined by way of a name search via a notary, for example.

Depending on the individual case, consideration should therefore be given to whether the property should not be acquired and held through a spouse, partner or family member with a different name or by a trustee.

5. Register of residents (Melderegister)

The register of residents contains comprehensive data on all residents in the area of responsibility of the respective registration authority.

When inspecting the register of residents, a distinction must be made between simple and extended resident register information.

As part of the simple resident register information in accordance with Section 44 of the Federal Registration Act (Bundesmeldegesetz, BMG), information can be requested about a person's first name and surname, doctor's degree, current addresses and, if the person is deceased, this fact. A legitimate interest is not required for simple information from the register of residents. However, the applicant must provide the registration authority with as much meaningful personal information as possible about the person concerned so that they can be clearly identified. This includes information about the surname, former surname, first names, date of birth, gender or an address, whereby there is no minimum amount of data to be provided.

In the case of extended resident register information in accordance with Section 45 BMG, information may also be provided on previous names, date and place of birth and, if born abroad, also the country, marital status (limited to information on whether or not married or in a civil partnership), current nationalities, previous addresses, date of moving in and moving out, surname and first names and address of the legal representative, spouse or civil partner as well as date and place of death and, in the case of death abroad, also the country.

Unlike in the case of simple information from the register of residents, the applicant must have a legitimate interest in order to obtain extended information from the register of residents. A legitimate interest is understood to be any interest of a legal, economic or non-material nature permitted by the legal system that outweighs the protectable interests of the data subject in the non-disclosure of their registration data. A legitimate interest may exist, for example, in the case of a search for missing persons, a research project and, where appropriate, a credit check by credit institutions.

According to Section 51 (1) BMG, an application to block information can be made to the responsible registration authority if one can justifiably assume that there is a risk to life, health, personal freedom or similar protectable interests, such as threats, insults or unauthorised stalking. In order to be able to prove a threat, security analyses such as digital visibility and vulnerability analyses can be carried out and security classification obtained from a local police station or the Federal State Office of Criminal Investigation (Landeskriminalamt, LKA).

Documents demonstrating the threat can be used to prove the protectable interest to the responsible official at the Citizens' Office (Bürgerbüro). The documentary evidence must stand up to scrutiny and confirm the stated danger.

It can be assumed that the responsible officials at the Citizens' Office will subject the application to a due diligence check and start an examination of the data of the requested information block. A digital visibility and vulnerability analysis therefore has to be carried out before the application is submitted in order to find possible matches in all available public sources, social networks and databases. Information that is particularly easy to find and provides information about the private address(es) urgently needs to be deleted before applying for the information block. As a rule, data published by the company itself is easy to delete, whereas for third-party websites (e.g. online telephone directories) deletion requests will have to be submitted, which in some cases require identification.

Please note that search engines can create an image ("cache") of a website, which may contain information that has already been changed or deleted from the live page. These images must be notified directly to the search engine operator. Deletion from the search engine can take anything from a few days to several weeks. In social networks, deletion can be requested from known third parties or, in case of doubt, a request for deletion can be submitted to the respective data protection authority of the network to ensure the protection of privacy.

In order to apply for an information block, a certain level of risk has to exist. In the case of specific threats, appropriate evidence must be submitted when filing the application. However, protectable concerns often involve an abstract threat. Concerns regarding an abstract threat arise, for example, from professional or voluntary activities (e.g. managing directors of a large company, politicians, association chairmen), the scope of wealth (e.g. rich lists), abstract threats from violent ideological groups that condone physical and emotional violence against individuals and their environment or criminal actors operating in the environment.

It is important to substantiate the abstract threats with similar incidents involving comparable groups of people in order to present realistic threat scenarios. In addition, threats, hate speech and insults against individuals are published on social networks in particular under the guise of anonymity, which both restrict personal freedom and pose a risk to life and health. Please also noted that, even in the case of professional exposure, private protectable interests prevail. Exposed persons in particular can request a security classification from the relevant police station or Federal State Office of Criminal Investigation.

In addition to the detailed application for an information block with supporting documents, an additional conversation with the responsible case officer can help to verbally present the risk situation and to be able to respond to corresponding further queries.

On average, the process from taking the preparatory measures to submitting the application is estimated to take several weeks.

6. Lobby register (Lobbyregister) and patent register (Patentregister) 

The lobby register publishes details of lobbyists who contact members, employees or heads of department of the Bundestag or the Federal Government, either directly or on their behalf, in order to exert direct or indirect influence on their decision-making processes.

Lobbyists subject to registration must disclose a wide range of easily ascertainable information such as the company name, legal form and legal representation, but also information that requires a more detailed overview of the lobbying activity, such as specific descriptions of the activities carried out and all persons behind them; the main sources of funding as a proportion of total revenue; current, planned or intended regulatory projects, and detailed information on contractual relationships (Section 3 (1) Nos. 1-8 of the German Lobby Register Act (Lobbyregistergesetz, LobbyRG).

The lobby register is public and can therefore be viewed without restriction.

The patent register allows anyone to obtain information about a patent (Sections 30 (1) sentence 1, 31 (1) sentence 2 of the German Patent Act, (Patentgesetz, PatG)). The name and place of residence of the applicant or the proprietor of the patent and their representatives or authorised agents can be viewed in accordance with Section 30 (1) sentence 1 PatG.

Future developments

European legislators are also planning to further tighten measures in the fight against money laundering.

The introduction of an EU-wide register of beneficial owners of assets with a value of more than 200,000 euros is under discussion. In this context, further consideration is being given to combining the information from existing registers. Whether and when such a register will be set up remains to be seen.

There are also plans to set up a new EU anti-money laundering authority, the Anti-Money Laundering Authority (AMLA), which will be based in Frankfurt am Main and is expected to be operational from mid-2025. The authority will continue to contribute to the fight against money laundering by carrying out its own supervisory activities and improving and coordinating cooperation between the national supervisory authorities.

Security risks

Legal disclosure obligations in public registers pose a particular risk for exposed persons. Due to the public interest in gaining an insight into their private lives, the published personal data can pose risks to privacy, personal security or identity misuse. While a "legitimate interest" must be demonstrated in order to access some registers, other registers allow documents containing personal data to be obtained free of charge without the obligation to register.

This is particularly evident in the case of threats to leaders whose private addresses are publicly accessible through entries in the commercial register. Wealthy individuals run the risk of becoming victims of robbery or kidnapping if their private retreats are publicly known.

The disclosure of such information through register entries or public documents makes it much easier for criminals to plan and carry out criminal offences. Entrepreneurs are also exposed to considerable risks, especially if they are involved in projects that meet with opposition. An entrepreneurial project that meets with opposition from the public can lead to opponents of the project expressing their displeasure on the entrepreneur's private property. This can range from damage to property to personal threats and violence. In addition, in accordance with Section 285 no. 9 a) of the German Commercial Code (Handelsgesetzbuch, HGB), for example, the total remuneration granted to members of the management in the financial year must be disclosed. Even if this does not include individualised information on individual members, it still allows conclusions to be drawn about current income. In addition to this, there is mandatory information such as shareholdings.

This data can be misused by criminals to commit fraud or identity theft by specifically exploiting vulnerabilities and in some cases causing considerable financial damage. Ultimately, politically or socially engaged individuals can be targeted by extremist groups through the disclosure of their private data. These individuals run the risk of being threatened or attacked because of their activities.

Conclusion

High net-worth individuals or other exposed persons face enormous security risks due to the numerous disclosure obligations. Without further security precautions, including restrictions on access to the respective registers, journalists and criminals can easily gain access to personal data.

High net-worth or vulnerable private individuals are therefore well advised to seek appropriate security analysis and advice at an early stage in order to recognise potential risks. Targeted measures then need to be taken and a concept developed to reduce these risks and protect private individuals appropriately.

Oppenhoff is on hand to advise you on all issues relating to the protection of your own privacy and that of your family and would be happy to support you in analysing, monitoring and avoiding publicly visible data as part of our family risk and privacy management. The services offered by our partner EPP equity protection partners (epp GmbH), one of the leading specialists in digital visibility, vulnerability and risk analysis, include the identification and evaluation of sensitive data and risks using advanced analysis tools.

Update register of associations:

According to a current BGH decision on the register of associations, former association board members may be entitled to the restriction of the availability of their data in the register of associations.

The purpose of the register of associations is to inform the public about registered associations. Besides general data about the association and its representation relationships, it also contains personal information such as the name, date of birth and place of residence of the board members.

Whether and under what conditions board members are entitled to a restriction of the availability of their data must be assessed in the individual case. 

The BGH clarified that the public fundamentally also has a strong interest in the availability of the data of former board members. However, in individual cases, the public interest in information may become subordinate to the board member’s personal interest in the protection of their personal data after a certain amount of time has passed. 

In its decision, the BGH affirmed a claim to the restriction of access after a period of 20 years since the board member’s departure. The court based its decision on the expiry of the statutory limitation periods and the retention periods of 10 years under commercial and company law, reasoning that this data is likely to be less relevant for legal transactions after this period has expired. Access to the data should therefore only be granted if a legitimate interest can be demonstrated. It will be interesting to see how this restriction will be implemented in practice.

Back to list