Commercial Register.de: Online query reveals private data
Entries in the commercial register have been easy to query online since the beginning of August – without registration or costs. The data also includes private information.
Since August 1, all entries in the register of trade, cooperatives, partnerships and associations can be called up on the central register platform of the federal government at handelsregister.de – simply like that, using a web form. The documents, which are now easily accessible to the general public, often contain sensitive personal data such as addresses, dates of birth, bank details or even signatures.
Until now, you had to register for information at the Hamm District Court by fax and also pay fees for many documents. The portal has so far served as the central online information system for the German register courts. On the basis of the law implementing the EU Digitization Directive, the deadline for implementation of which expired on August 1, register information was standardized and access restrictions were lifted. With the directive, the EU wants to simplify the formation of companies and the availability of register information.
A portal where every citizen can quickly check who is behind a certain company is basically a good thing. This promotes transparency. However, one reader, who is a data protection officer in a company, found some blemishes. He noticed that private data or data with potential for misuse can be found in many data sets.
In many documents, for example, signatures are not blacked out. There are private addresses in plain text, birthdays are often mentioned. Written documents from associations also contain personal account numbers in plain text, and confirmations from notaries sometimes contain the verification numbers of the ID card.
Transparency trumps privacy
We asked the Federal Data Protection Authority what they said about the objections. They referred us to the state data protection authority in North Rhine-Westphalia because the portal is operated by the Ministry of Justice there. The State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia emphasizes that the portal has been around for a long time. The only new thing is “that retrievals from the register are no longer subject to a fee and that user registration is no longer provided for.”
The data protection officers refer to the legal basis, which results from a number of paragraphs, including the German Commercial Code (HGB) and the Commercial Register Ordinance. In particular, the authority emphasizes, with reference to Section 10a HGB, that the portal serves “to ensure transparency in legal transactions and the associated effects on third parties. Therefore, the rights under the General Data Protection Regulation only apply to a very limited extent.”
Possible Abuse
The North Rhine-Westphalian data protection officers also see that the new access to the commercial register “has triggered greater sensitivity among those affected, who are concerned about possible misuse of their data”. They therefore suggest that legal restrictions on the free publication of all register data on the Internet should be considered in the interest of protecting the data subjects, insofar as this does not conflict with European law.
This seems appropriate, because the data harbors potential for abuse. The security expert and “riot influencer” Lilith Wittmann has already announced that she will build an application programming interface (API) for the commercial register portal. Such an interface should make it even easier to quickly retrieve a lot of content from the portal – including sensitive content.
“Blatant failure of the legislature”
The legal advisor and data protection officer at Heise-Verlag, Joerg Heidrich, is left at a loss by the current implementation of the commercial register portal: “I consider this to be a glaring failure on the part of the legislature when weighing up legitimate demands for transparency on the one hand and the rights of those affected on the other Side.” The portal can be compared well with the domain register, says Heidrich: “The entries there are not publicly visible and can only be called up in exceptional cases with a legitimate interest. Why the unequal treatment?”
(yeah)
