Who is responsible for incorrect publication of personal data in the Belgian Official Gazette?

A publication in the Belgian Official Journal seems set in stone. But what if that publication, through human error, contains sensitive personal data that never should have been in it, such as your bank account number? A recent legal case has boned this question to the bone. The case, which began with an unfortunate mistake at a notary's office, exposed a fundamental conflict between the General Data Protection Regulation (GDPR) and one of the cornerstones of our Belgian law: the immutability of the Belgian Official Gazette.

The trigger

The case came to a head following the publication of an extract of a deed of capital reduction of a company. The notary who had drawn up the deed made a mistake and included in the extract for the Official Gazette not only the information required by law, but also the amounts repaid and bank account numbers of the shareholders involved. The publication of these financial data was in no way required by law.

When the shareholder discovered this, he immediately took steps through his notary to have this highly sensitive information deleted, invoking his "right to data erasure" under the AVG. It seemed like a simple rectification, but it was anything but. The FPS Justice, as administrator of the Belgian Official Gazette, refused to remove the original publication. The department invoked the principle of immutability: what is in the Official Gazette cannot be changed or deleted retroactively. As an alternative, the FPS Justice suggested a new, publish corrected excerpt, but that was no solution, as the original, erroneous publication with the bank details would simply remain available online.

On this, the shareholder filed a complaint with the Data Protection Authority (GBA).

The legal action: GBA, Market Court and Court of Justice

The Data Protection Authority (DPA) did not follow the FPS Justice's reasoning. In its decision (no. 38/2021) of March 23, 2021 the GBA ruled that the Belgian Official Gazette should indeed be considered a data controller and imposed a reprimand, as well as an order to still comply with the complainant's request and erase the personal data within 30 days. The GBA stated that according to the definition in the AVG, the data controller is the entity that processes the ends and means for data processing determines. Although the duty until publication is in the law, it is the FPS of Justice that controls the specifics: the website, the databases, and how the data are presented and made searchable online. Because of this control over the "how" of publication, the Official Gazette met the definition.

The Belgian State, acting for the FPS Justice, appealed this decision to the Market Court. The Market Court decided in a judgment of February 22, 2022 two preliminary questions to the Court of Justice of the European Union set:

1. Can a body such as the Belgian Official Gazette, which is legally obliged to publish deeds supplied by third parties without checking their content, be considered a "data controller"?
2. If so, is the Official Gazette solely responsible, or does it share that responsibility with the parties (in this case, the notary) who provided the data?

Court's ruling: a chain of separate responsibilities

In his judgment of 11 January 2024 (C-231/22) the Court of Justice gave a clear and nuanced answer.

• Yes, the Belgian Gazette is a data controller. The Court held that the Official Gazette determines the purpose (legal disclosure) and means (the publication itself) of the processing and thus meets the definition.
• No, there is no joint responsibility. This was the crucial nuance. The Court stated that there is a chain of separate, consecutive processing operations. The notary is the processing controller for the preparation and proper delivery of the deed. The registry performs a second processing. The Official Gazette is the third and final processor, and is exclusively and solely responsible for the processing it performs itself: final publication and making it available online.

Annulment of GBA ruling by the Markets Court

This is where things get complex. Following the Court of Justice's ruling, the Markets Court, in a judgment of April 16, 2025 the GBA's decision. Although the Court agreed with the GBA that the Official Gazette is a data controller, the sanction was still dismissed.

The reason for this is the gap in Belgian legislation, as also the Advocate General to the Court of Justice had noted. The Belgian legislature has placed the FPS Justice in an impossible position:

• On the one hand, Belgian law requires the Official Gazette to integral and unalterable publication of what is delivered.
• On the other hand, the AVG requires that same entity, as a data controller, to be able to delete erroneous or redundant data.

Belgian law simply does not provide a "delete button" or a procedure to reconcile these two obligations. The Market Court therefore held that the GBA could not impose a sanction on the FPS Justice for non-compliance with an AVG obligation (deletion of data) when national law seemed to explicitly prohibit that act and there was no legal framework to resolve this conflict. Thus, due to this complexity, the legal basis for the sanction was insufficient.

What does this mean for you as a notary or company?

This ruling is a warning that makes the responsibility of the one providing the data even heavier. Now that it appears that in practice an aggrieved citizen cannot enforce his AVG rights with FPS Justice (Belgian Official Gazette), he will inevitably turn to the source of the error:

• You are and remain the first, and now the de facto only, addressable party. As a notary, accountant, consultant or director of a company preparing a deed for publication, you are the primary data controller. The legal impasse at the Official Gazette means that the entire burden of recovering or compensating for damages falls on your shoulders. So you must be absolutely certain that only the strictly necessary personal data is included in the extract.
• An error is a data breach with direct consequences. Inadvertently publishing redundant data (such as a bank account number) is a data breach that must be reported to the Data Protection Authority, in accordance with Article 33 of the AVG. Whereas the Official Gazette currently escapes sanction, as a supplier you are, however, directly and fully exposed to the consequences.
• Severe sanctions are a real risk. The AVG provides for heavy administrative fines, which can reach €20 million or 4% of total annual turnover. The likelihood that a complaint or claim for damages will now be directed directly against the notary or the company itself is significantly increased by this ruling.