Provisional text

JUDGMENT OF THE COURT (First Chamber)

3 April 2025 ( * )

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 4 – Definitions – Article 6 – Lawfulness of processing – Article 86 – Public access to official documents – Data concerning the representative of a legal person – Case-law of a national court imposing an obligation to inform and consult the data subject prior to disclosure of official documents containing such data )

In Case C‑710/23,

REQUEST for a preliminary ruling under Article 267 TFEU from the Nejvyšší správní soud (Supreme Administrative Court, Czech Republic), made by decision of 1 November 2023, received at the Court on 22 November 2023, in the proceedings

L.H.

v

Ministerstvo zdravotnictví,

THE COURT (First Chamber),

composed of F. Biltgen, President of the Chamber, T. von Danwitz (Rapporteur), Vice-President of the Court, A. Kumin, I. Ziemele and S. Gervasoni, Judges,

Advocate General: J. Richard de la Tour,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

– the Czech Government, by L. Březinová, M. Smolek and J. Vláčil, acting as Agents,

– the European Commission, by A. Bouchagiar and P. Ondrůšek, acting as Agents,

having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of point 1 of Article 2 and Article 6(1)(c) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2 The request has been made in proceedings between L.H. and Ministerstvo zdravotnictví (Minister of Health, Czech Republic) concerning the latter’s decision not to disclose to L.H. certain information concerning representatives of legal persons, referred to in contracts for the purchase of COVID-19 screening tests, and in certificates relating to those tests.

Legal context

European Union law

3 Recitals 1, 4, 10, 14 and 154 of the GDPR state:

‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

…

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

…

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. … To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

…

(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

…

(154) This Regulation allows the principle of public access to official documents to be taken into account when applying this Regulation. Public access to official documents may be considered to be in the public interest. Personal data in documents held by a public authority or a public body should be able to be publicly disclosed by that authority or body if the disclosure is provided for by Union or Member State law to which the public authority or public body is subject. Such laws should reconcile public access to official documents and the reuse of public sector information with the right to the protection of personal data and may therefore provide for the necessary reconciliation with the right to the protection of personal data pursuant to this Regulation. The reference to public authorities and bodies should in that context include all authorities or other bodies covered by Member State law on public access to documents. …’

4 Article 1 of the GDPR, entitled ‘Subject matter and objectives’, provides, in paragraph 2:

‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’

5 Under Article 4 of the GDPR, entitled ‘Definitions’:

‘For the purposes of this Regulation:

(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…’

6 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides:

‘1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

…’

7 Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides:

‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

…

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) Union law; or

(b) Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

…’

8 Article 86 of the GDPR, entitled ‘Processing and public access to official documents’, in Chapter IX of that regulation, which contains the provisions on specific processing situations. That article provides:

‘Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.’

Czech law

9 The zákon č. 106/1999 Sb., o svobodném přístupu k informacím (Law No 106/1999 on free access to information) imposes an obligation on public authorities to disclose information to the natural or legal person on request.

10 Under Article 8a(1) of that law, the party responsible for providing information may disclose information relating to a natural person’s personality, personal sphere, private life and personal data only in accordance with the rules governing the protection thereof.

The dispute in the main proceedings and the questions referred for a preliminary ruling

11 L.H. lodged a request with the Ministry of Health for information concerning the identification of persons who had signed contracts for the purchase of COVID-19 screening tests concluded by that ministry, as well as certificates relating to those tests and demonstrating that they may be used on the territory of the European Union.

12 That ministry partially granted L.H.’s request and sent him the certificates relating to those tests, redacting the information relating to the natural persons who had signed those certificates on behalf of the legal persons concerned, including the forename, surname, signature and position held by those natural persons and, in some cases, the email address, telephone number and website of those legal persons. The reason used to justify the redaction of that information was the protection of the personal data of the natural persons referred to in those certificates, in accordance with the requirements of the GDPR.

13 L.H. brought an action for annulment of the Ministry of Health’s decision to disclose before the Městský soud v Praze (Prague City Court, Czech Republic) in so far as it redacted that information. The court upheld that action, holding that the Ministry could not refuse, as a matter of principle, to disclose information constituting personal data without having first informed or obtained the opinion of the data subjects on the request for disclosure of those data, as provided for in the relevant national case-law. According to that court, by acting in that way, the Ministry of Health, first, failed to recognise data subjects as ‘parties to the proceedings’, within the meaning of domestic law, and, second, did not satisfy itself to the requisite legal standard that none of the conditions of lawfulness referred to in Article 6(1) of the GDPR was satisfied.

14 The Ministry of Health brought an appeal on a point of law against the decision of the Městský soud v Praze (Prague City Court) before the Nejvyšší správní soud (Supreme Administrative Court, Czech Republic), which is the referring court. According to that ministry, the failure to inform the natural persons concerned of the request for disclosure of the data at issue cannot constitute a procedural defect. The Ministry argues that those persons operate from China and the United Kingdom, where the legal persons issuing the certificates are registered, and that the domicile of those persons is unknown to it. It is therefore impossible for it to inform and consult them on that subject.

15 In that context, the referring court asks, in the first place, whether the data at issue in the main proceedings constitute ‘personal data’ within the meaning of point 1 of Article 4 of the GDPR. In the light of recital 14 of that regulation, it would be inclined to take the view that such information constitutes data concerning a legal person, falling outside the scope of that regulation. That court observes, however, that the Court’s case-law favours a broad interpretation of the concept of ‘personal data’, from which, in its view, it follows that information relating to identifiable natural persons, in particular from a commercial register, falls within that concept.

16 In the second place, should the Court take the view that the data at issue in the main proceedings constitute personal data, the referring court is uncertain as to whether the relevant national case-law, which requires the controller, to which a request for disclosure of those data has been made, to inform and consult the data subject before disclosing those data to the applicant is compatible with EU law. The referring court further states that that obligation also applies in situations where the GDPR itself does not require the data subject’s consent, namely in situations other than that referred to in Article 6(1)(a) of the GDPR. That obligation therefore goes beyond the requirements of the GDPR and thus makes access to the data at issue potentially more difficult than in other Member States. In addition, given the scope of the GDPR, according to the referring court, it would be difficult, if not impossible, systematically to apply the obligation of prior information and consultation, in particular as regards files relating to large numbers of persons established in different countries.

17 It was in those circumstances that the Nejvyšší správní soud (Supreme Administrative Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Does the disclosure of the first name, surname, signature and contact information of a natural person as the director or responsible representative of a legal person, made exclusively for the purpose of identification of the (person authorised to represent a certain) legal person … constitute processing of ‘personal data’ of the natural person concerned, pursuant to [point 1 of Article 4] of the GDPR, and thus fall within the scope of [that regulation]?

(2) Can national law, including settled case-law, render the application by an administrative authority of a directly applicable EU regulation, namely Article 6(1)(c) or (e) of the GDPR, conditional on compliance with other conditions that do not follow from the text of the regulation itself but which, nevertheless, essentially extend the level of protection of personal data subjects, namely the obligation of a public authority to inform the data subject in advance of the submission of a request for the provision of his or her personal data to a third party?’

Consideration of the questions referred

The first question

18 By its first question, the referring court asks, in essence, whether points 1 and 2 of Article 4 of the GDPR must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data, even if that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person.

19 As a preliminary point, it should be noted that, according to the information provided by the referring court, the legal persons which issued the certificates at issue in the main proceedings are established in third countries, namely China and the United Kingdom. Although such legal persons may, under certain conditions, be subject to the disclosure rules laid down by Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 on certain aspects of company law (OJ 2017 L 169, p. 46), in particular as regards the compulsory disclosure of the identity of the persons who are authorised to represent those legal persons in dealings with third parties, there is nothing in the documents before the Court to indicate that that directive is relevant in the present case.

20 Having made that preliminary remark, it should be recalled that, under point 1 of Article 4 of the GDPR, ‘personal data’ means ‘any information relating to an identified or identifiable natural person’. A ‘natural identifiable person’, within the meaning of that provision, is ‘one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural personal’.

21 According to settled case-law, the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject. Information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (judgments of 7 March 2024, IAB Europe , C‑604/22, EU:C:2024:214, paragraphs 36 and 37, and of 4 October 2024, Agentsia po vpisvaniyata , C‑200/23, EU:C:2024:827, paragraphs 130 and 131, and the case-law cited).

22 Thus, information relating to the identity of identified or identifiable natural persons who, as a body constituted pursuant to law, or as members of such a body, are authorised to represent a company in dealings with third parties constitutes ‘personal data’ within the meaning of point 1 of Article 4 of the GDPR. The fact that that information was provided as part of a professional activity does not mean that it cannot be characterised as personal data (see, by analogy, judgment of 9 March 2017, Manni , C‑398/15, EU:C:2017:197, paragraphs 32 and 34, and the case-law cited).

23 As the Commission observed, that interpretation cannot be invalidated by recital 14 of the GDPR. The second sentence of that recital refers, inter alia, to the ‘name’ and ‘contact details’ of the legal person, and not that of natural persons acting in the name of or on behalf of a legal person.

24 In the present case, it should be noted that the first name and surname of an identified or identifiable natural person constitute personal data within the meaning of point 1 of Article 4 of the GDPR. The same applies to the signature of a natural person (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata , C‑200/23, EU:C:2024:827, paragraph 136).

25 As regards the other contact details at issue in the main proceedings, it is for the referring court to ascertain, in the light of the case-law referred to in paragraph 21 above, whether those contact details are linked to an identified or identifiable natural person.

26 As to the concept of ‘processing’, within the meaning of point 2 of Article 4 of the GDPR, that provision defines it as meaning ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

27 Thus, it is apparent from the expression ‘any operation’ that the legislature intended to give that concept a broad scope, which is corroborated by the non-exhaustive nature, expressed by the phrase ‘such as’, of the operations listed in that provision, which include disclosure by transmission, dissemination or otherwise making available, whether or not by automated means (see, to that effect, judgment of 7 March 2024, Endemol Shine Finland , C‑740/22, EU:C:2024:216, paragraphs 29 and 30, and the case-law cited).

28 In any event, there is nothing in the wording of point 2 of Article 4 of the GDPR to suggest that the EU legislature intended those operations to be classified as ‘processing’ according to their purpose.

29 That interpretation is consistent with the objective pursued by the GDPR, as is set out in Article 1 thereof and in recitals 1 and 10 thereof, consisting, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter and Article 16(1) TFEU (see, to that effect, judgment of 9 January 2025, Mousse , C‑394/23, EU:C:2025:2, paragraph 21 and the case-law cited).

30 In the present case, the disclosure of data such as the first name, surname, signature and contact details of a natural person representing a legal person falls within the concept of ‘processing’ within the meaning of point 2 of Article 4 of the GDPR. As is apparent from paragraphs 27 to 29 above, the fact that the sole purpose of the disclosure of such data is to enable the identification of a natural person authorised to act on behalf of a legal person is irrelevant for the purposes of classification as ‘processing’ within the meaning of that provision.

31 In the light of the foregoing considerations, the answer to the first question is that points 1 and 2 of Article 4 of the GDPR must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data. The fact that that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person is irrelevant in that regard.

The second question

32 By its second question, the referring court asks, in essence, whether Article 6(1)(c) and (e) of the GDPR must be interpreted as precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data.

33 In accordance with the objective pursued by the GDPR, as recalled in paragraph 29 above, any processing of personal data must, inter alia, comply with the principles relating to the processing of such data set out in Article 5 of that regulation and satisfy the lawfulness conditions listed in Article 6 of that regulation (judgment of 9 January 2025, Mousse , C‑394/23, EU:C:2025:2, paragraph 22 and the case-law cited).

34 In that regard, Article 5(1)(a) of the GDPR provides that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

35 Article 6(1)(c) of the GDPR provides that processing may be lawful if and to the extent that it is necessary for compliance with a legal obligation to which the controller is subject. Under Article 6(1)(e) of that regulation, such processing may also be lawful if and to the extent that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

36 According to Article 6(2) of the GDPR, Member States may maintain or introduce more specific provisions to adapt the application of the rules of that regulation with regard to processing for compliance with Article 6(1)(c) and (e) of the GDPR by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations, referred to in Chapter IX of the GDPR.

37 Article 6(3) of the GDPR provides that the basis for the processing referred to in Article 6(1)(c) and (e) is to be defined, as the case may be, by EU or Member State law to which the controller is subject. The relevant legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued. That legal basis may also contain specific provisions to adapt the application of the rules of the GDPR, such as, inter alia, general conditions governing the lawfulness of processing by the controller or processing operations and processing procedures, including measures to ensure lawful and fair processing, such as those provided for in other specific processing situations, referred to in Chapter IX of the GDPR.

38 It should also be noted that, as regards public access to official documents, Article 86 of the GDPR, which forms part of Chapter IX thereof, provides that personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with the relevant EU or Member State law in order to reconcile public access to official documents with the right to the protection of personal data.

39 That article must be read in the light, first, of recital 4 of the GDPR, which states, inter alia, that the right to the protection of personal data is not an absolute right, second, of recital 154 of that regulation, from which it is apparent, inter alia, that public access to official documents may be considered to be in the public interest, and, third, of the case-law according to which the principle of transparency, as follows from Articles 1 and 10 TEU and Article 15 TFEU, enables citizens to participate more closely in the decision-making process and guarantees that the administration enjoys greater legitimacy and is more effective and more accountable to the citizen in a democratic system (judgment of 22 November 2022, Luxembourg Business Registers , C‑37/20 and C‑601/20, EU:C:2022:912, paragraph 60 and the case-law cited).

40 Although, as is apparent from recital 10 of the GDPR, Member States have the power to maintain or introduce national provisions to further specify the application of the rules of that regulation, they must nevertheless use their discretion under the conditions and within the limits provided for by that regulation and must therefore legislate in such a way as not to undermine the content and objectives thereof (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraph 59 and the case-law cited).

41 Furthermore, in accordance with the principle of proportionality, Member States must ensure that the practical consequences, in particular of an organisational nature, arising from the additional requirements which they have laid down are not excessive (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein , C‑667/21, EU:C:2023:1022, paragraph 67).

42 In the present case, the processing at issue in the main proceedings may fall within point (c) as well as point (e) of Article 6(1) of the GDPR, since it is imposed on the controller by Law No 106/1999, in the performance of a task carried out in the public interest consisting of ensuring public access to official documents. In that regard, it is common ground that that law requires public authorities to disclose information, including official documents, to the persons who so request.

43 That being said, where the information requested contains personal data, that law provides that such data may be disclosed only in compliance with the legislation relating to the protection of those data, which, as the referring court observes, includes the GDPR. It is apparent from the order for reference that the case-law of the referring court sets out additional obligations, in addition to those expressly laid down in that regulation. It requires the public authorities to inform and consult the data subject before proceeding with any disclosure of those data.

44 As regards the compatibility of national case-law, such as that at issue in the main proceedings, with the GDPR, it should be noted that, under the provisions referred to in paragraphs 36 and 37 above, Member States may introduce specific provisions to ensure lawful and fair processing in specific processing situations, such as that referred to in Article 86 of the GDPR. In that regard, such case-law may form part of the legal basis for the processing, within the meaning of Article 6(3) of the GDPR.

45 Consequently, Article 6(1)(c) and (e) of the GDPR does not preclude, in principle, national case-law which lays down an obligation to inform and consult the data subject before any disclosure of personal data concerning him or her. Such an obligation is such as to ensure lawful, fair and transparent processing in respect of that data subject, within the meaning of Article 5(1)(a) of the GDPR, by allowing him or her to express his or her views on the proposed disclosure. That obligation thus contributes to the attainment of the objective referred to in paragraph 29 above, while allowing the public authority to proceed, in full knowledge of the facts, to the reconciliation required by Article 86 of the GDPR.

46 Nevertheless, in the light of the case-law referred to in paragraphs 40 and 41 above, an absolute application of that obligation could give rise to a disproportionate restriction on public access to official documents. It is conceivable that, for various reasons, informing and/or consulting the data subject may prove impossible or would require disproportionate effort. In such a context, invoking the impossibility, in practice, of informing and consulting that data subject in order to justify the systematic refusal of any disclosure of information concerning that person would lead to the exclusion of any attempt to reconcile the interests involved, even though such reconciliation is expressly prescribed for in Article 86 of the GDPR.

47 In the present case, subject to verification by the referring court, the Ministry of Health appears to have based its decision not to disclose all the information requested on that practical impossibility alone, without having made any attempt to reconcile interests.

48 In the light of all the foregoing considerations, the answer to the second question is that Article 6(1)(c) and (e) of the GDPR, read in conjunction with Article 86 of that regulation, must be interpreted as not precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data, provided that such an obligation is not impossible to implement and that it does not require disproportionate effort and, therefore, it does not result in a disproportionate restriction on public access to those documents.

Costs

49 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

1. Points 1 and 2 of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data. The fact that that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person is irrelevant in that regard.

2. Article 6(1)(c) and (e) of Regulation 2016/679, read in conjunction with Article 86 of that regulation,

must be interpreted as not precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data, provided that such an obligation is not impossible to implement and that it does not require disproportionate effort and, therefore, it does not result in a disproportionate restriction on public access to those documents.

[Signatures]

* Language of the case: Czech.