News / Legal Brief

Should there be limits on the extent to which personal information of a company’s shareholders are available to the public?

Dec 7,2022

Section 26(2) of the Companies Act 71 of 2008 (“Companies Act“) provides that any person has the right to access a company’s records, including, amongst others, the records in respect of the company’s directors and securities register. The Companies Act prescribes that these records must contain a person’s full names, address, identity number, nationality and occupation.[1] Access to this information begs the question:

Should there be limits on the extent to which any person can access such personal information of a person?

Indeed, access to a person’s full name, address and identity number can expose a person to a disproportionate risk of fraud, kidnapping, blackmail, violence or intimidation. Consequently, the question is an important one from a Companies Act and POPIA perspective.[2] This question was recently considered by the Court of Justice of the European Union (“the ECJ“) in its decision in Joined Cases C‑37/20 and C‑601/20.


The matter involved a request by a Luxembourg company and its beneficial owner to restrict the public’s access to the register of beneficial ownership of the company which contains, as required by legislation,[3] a whole series of information of the beneficial owners of registered entities. This includes information such as the name, date of birth, nationality and country of residence.[4]

The ECJ was requested to consider whether the disclosure of such information is capable of entailing a disproportionate risk of interference with the fundamental rights of the beneficial owners concerned.

The ECJ held that the anti-money-laundering directive whereby information on the beneficial ownership of a company must be made available to the general public is invalid in that the public access to such information infringes the right to respect for private and family life and the right to the protection of personal data as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.[5] At its core was the fact that granting the general public access to information on beneficial ownership enables a potentially unlimited number of persons to find out the material and financial situation of individuals, as well as expose the beneficial owner to abuse of their personal data, which data can be retained and disseminated.[6]

Therefore, even though the anti-money-laundering directive was pursuing a legitimate objective in attempting to prevent money laundering and terrorist financing, it enabled disclosure that went beyond what was strictly necessary or proportionate.[7]

Read – POPIA and consent, the biggest misunderstanding?


As a point of departure, it is important to note that even though the decision of the ECJ emanates from a foreign jurisdiction, it is submitted that the South African authorities can take guidance from the decision. We say this because POPIA has been heavily influenced by international and foreign data privacy laws[8] and section 3(3) of POPIA provides that POPIA must be interpreted in accordance with the section 2 purposes of the Act, which include harmonising South African law with international standards.

Furthermore, section 39(2) read with section 39(1) of the Constitution requires that courts and tribunals must give effect to the Bill of Rights in interpreting any legislation and, in doing so, they must consider international law and may consider foreign law.

In South Africa, until the Nova case,[9] there were conflicting judgements regarding whether any person has an unqualified right of access to the share register of a company.[10]

The Supreme Court of Appeal (“SCA“) in the Nova case held that there is no provision in section 26 of the Companies Act that makes a court’s decision to compel compliance with the section discretionary, regardless of whether a request for access is consider “reasonable“. It was further held that the legislature expressly selected not to enact a provision equivalent to Old Companies Act section 113(4), instead it strengthened the access provision by making clear in section 26(2) that it conferred a “right” of access, without qualification and not subject to a discretionary override.

However, it is important to mention that the decision of the SCA in the Nova case left the door open for section 26 to be challenged on a constitutional level for potentially contravening the right to privacy and dignity of persons’ whose names appear on documents being accessed.

Consequently, even though section 26 seems to provide an unqualified right of access, there however are certain measures in place in order to protect the privacy of a shareholder. To this end, regulation 32(6) of the Companies Regulations, 2011 provides that the identity number and e-mail address of a person as contained in a share register may be regarded as confidential. This provision however falls short of protect the other personal information of a shareholder such as their address, occupation and nationality.

One must take a step back and consider the purpose for which a share register may be requested. This purpose relates to inspecting specifically who holds how many shares in a particular company. Consequently, it could be argued that the other personal information as contained in a share register such as a shareholder’s address and occupation are inconsequential to this purpose and are therefore irrelevant.

Personal information may only be processed if

It is important to note that section 10 of POPIA provides that personal information may only be processed if, given the purpose for which it is processed, it is adequate relevant and not excessive. Therefore, it is important to consider what is adequate, relevant and mitigates against processing excessive personal information.

It is also important to note that providing the public with unqualified access to a shareholder’s personal information in a share register potentially infringes not only a shareholder’s privacy rights, but also a company’s constitutional right to privacy as POPIA applies equally to companies as well.

Where should the balance be struck to resolve this conundrum where there is a misalignment between the Companies Act and POPIA?

The origin of this misalignment stems from the fact that when the amended Companies Act came into effect, POPIA was not enacted. The position is made clear when one considers the interpretation section of the Companies Act, particularly section 5(4)(b) which provides that the provisions of other Acts such as, amongst others, PAIA,[11] will prevail over any inconsistent provision of the Companies Act to the extent that it is impossible to apply or comply with one of the inconsistent provisions without contravening the second. While a list of legislation is provided, POPIA is not reflected.

The elephant in the room is clearly POPIA

Perhaps the sentiments of the ECJ provide guidance on the way forward:[12]

In all cases, both with regard to corporate and other legal entities, as well as trusts and similar legal arrangements, a fair balance should be sought in particular between the general public interest in the prevention of money laundering and terrorist financing and the data subjects’ fundamental rights. The set of data to be made available to the public should be limited, clearly and exhaustively defined, and should be of a general nature, so as to minimise the potential prejudice to the beneficial owners

In order to limit the interference with the right to respect for their private life in general and to protection of their personal data in particular, that information should relate essentially to the status of beneficial owners of corporate and other legal entities and of trusts and similar legal arrangements and should strictly concern the sphere of economic activity in which the beneficial owners operate

[1] See sections 26(1)(b) and (e) read with sections 24(3)(b), 24(4) and 24(5) of the Companies Act.
[2] Protection of Personal Information 4 of 2013 (“POPIA“).
[3] The relevant legislation was the anti-corruption directive which provides that the register of beneficial ownership of a company must be made available to the general public.
[4] See paragraph 8 of the decision.
[5] See paragraph 86 of the decision.
[6] See paragraphs 42 and 43 of the decision.
[7] See paragraph 64 of the decision.
[8] The origins of POPIA can be traced to two primary international instruments: the Council of Europe’s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. See SALRC Project 124 “Privacy and Data Protection” Report 2009, page vii.
[9] Nova Property Group Holdings Ltd v Cobbett (20815/2014) [2016] ZASCA 63 (12 May 2016) (“Nova case“).
[10] See for example M&G Centre for Investigative Journalism NPC v CSR-E Loco Supply (Pty) Ltd (23477/2013) (8 November 2013) and Bayoglu v Manngwe Mining (Pty) Ltd 2012 JDR 1902 GNP
[11] The Promotion of Access to Information Act 2 of 2000.
[12] See paragraph 3 of the decision.

Latest News