CJEU - C-129/21 - Proximus

From GDPRhub
CJEU - C-129/21 Proximus
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(2) GDPR
Article 6 GDPR
Article 7 GDPR
Article 17 GDPR
Article 17(2) GDPR
Article 24 GDPR
Article 95 GDPR
Article 12(2) Directive 2002/58/EC
Article 2(f) Directive 2002/58/EC
Decided: 27 October 2022
Parties: Proximus NV
Gegevensbeschermingsautoriteit
Case Number/Name: C-129/21 Proximus
European Case Law Identifier: EU:C:2022:833
Reference from: Court of Appeal of Brussels (Belgium)
2020/AR/1160
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

English Summary

Facts

Proximus, a provider of telecommunications services provider in Belgium, also provides telephone books and telephone enquiry services for the public (hereinafter "directories"), according to the Law about Electronic Communication. These directories contain the name, addresse and phone number (hereinafter "information") of the different public telephone services providers (hereinafter "operators"). Other directories, published by third parties, exist.

The information of these subscribers are communicated regularly to Proximus by the operators, except those of subscribers who expressed their wish not to appear in the directories published by Proximus. In Belgium, the distinction between the subscribers who want to appear in a directory and those who don't, is in practice expressed by assigning a code in the registration of each subscriber, namely "NNNNN" to the subscribers whose information can appear, and "XXXXX" to the subscribers whose information stays confidential. Proximus transmits the information it receives to other providers of directories.

The complainant is a subscriber of the telephone service operato Telenet, who is active on the Belgian market. Telenet does not provide directories but transmits the information of its subscribers to providers of directories, among them to Proximus.

The 13th January 2019 this subscriber demanded Proximus not to have appear his information in the directories published either by Proximus or by third parties. Following this demand, Proximus modifiier the status of this subscriber in its information system, so that the information of that subscriber should not made public any more.

The 31st January 2019, Proximus received from Telenet a periodic update of the data of the subscribers of the latter. This update contained new data of the concerned subscriber, which were not indicated as confidential. This information was handled automatically by Proximus and were registered in a way that they appeared again in the directory of this latter.

The 14th August 2019, after having found that his phone number was published in the directories of Proximus and of third parties, the concerned subscriber demanded again from Proximus not to have his data appear. The same day, Proximus responded to the complainaint that it deleted his data of the directories and contacted Google that the relevant links to the Internet site of Proximus be deleted. Proximus also informed this subscriber that it transmitted his information to other directory providers and, thanks to the mothly updates, these providers were informaed about the demand of the complainant.

At the same time, the above mentioned subscriber sub,itted a complaint eith the APD against Proximus, on the basis that, in spite of his demand that his information should not appear in the directories, his phone number appeared notwithstanding in certain of these directories..

The 5th September 2019, the concerned subscriber and Proximus had other exchanges concerning the publication of the data of this subscriber in the directory of third parties. In this context, Proximus underlinet that it transmits the information of its subscribers to other providers of directories, but it has no view about the internal operating procedures of these providers.

The 30th July 2020, after a contradictory procedure, the "chambre du contentieux" (the administrative conflict resolution body of the APD) has adopted a decision imposing on Proximus corrective mesures and applied on it a fine of 20 000 euros for the violation, among others, of article 6 GDPR, read in combination with article 7 of the same Regulation and of article 5, second paragraphe of the Regulation mentioned and in conjunction with article 24 of the same. In particular, the APD firstly ordered Proximus to comply appropriately and immediately with the withdrawal of consentbe the concerned subscriber and to fulfil the demands of this subscriber, exercising his right to erasure of the data related to him. The APD has, subsequently, ordered Proximus to take the aprropriate technical and organisational measures to ensure that the processing of personal data it conducts should complay with the requirements of the GDPR. Finally, the APD ordered Proximus to stop transmitting these data illegally to other providers of directories.

The 28th August 2020, Proximus introduced an appeal against this decision before the "hof van beroep te Brussel" (Appeal Court of Brussels, Belgique).

According to Proximus, according to article 45, third paragraph of the Law about Electronic Communications, the consent of the subscriber is not required, but the subscribers have to demand themselves not to appear in the directories, according to a system called "opt-out" In the absence of such a demand, the concerned subscriber can effectively appear in these directories. Following from this, according to Proximus, no "consent" of the subscriber is actually necessary in the sense of Directive 95/46 or of the GDPR.

Being of the opposite view, the APD argues, in substance, that article 12, second paragraph of Directive 2002/58 and article 133, first paragraph of the Law about Electronic Communication require the "consent of the subscriber", in the sense of the GDPR in order that the providers of directories could process and transmit their personal data.

Holding

Article 12(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with point (f) of the second paragraph of Article 2 of that directive and with Article 95 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that ‘consent’ within the meaning of Article 4(11) of that regulation is required from the subscriber of a telephone service operator in order for the personal data of that subscriber to be included in publicly available telephone directories and directory enquiry services published by providers other than that operator, and that that consent may be provided to that operator or to one of those providers.

Article 17 of Regulation 2016/679

must be interpreted as meaning that the request by a subscriber to have his or her personal data withdrawn from publicly available telephone directories and directory enquiry services constitutes making use of the ‘right to erasure’ within the meaning of that article.

Article 5(2) and Article 24 of Regulation 2016/679

must be interpreted as meaning that a national supervisory authority may require that the provider of publicly available telephone directories and directory enquiry services, as controller, take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service operator that has communicated its subscriber’s personal data to that provider and the other providers of publicly available telephone directories and directory enquiry services to which that provider has itself supplied such data, of the withdrawal of the subscriber’s consent.

Article 17(2) of Regulation 2016/679

must be interpreted as not precluding a national supervisory authority from ordering a provider of publicly available telephone directories and directory enquiry services – which has been requested by the subscriber of a telephone service operator to cease disclosing personal data relating to him or her – to take ‘reasonable steps’, within the meaning of that provision, to inform search engine providers of that request for erasure of the data.

Comment

The importance of this judgment is that it extends the notification obligation according to Article 19 GDPR (about rectification or erasure of personal data to recipients) to providers of data (service operators providing the data to appear in a directory), and thus the data subject can turn with the request to any publisher or controller in the information chain, it does not need to turn to its own telecommunication service provider, and also consent can be provided to any of these. Reasonable measures have to be taken to inform search engine providers also. Once consent is provided to any of the operators or publishers, data can legitimately appear in any similar directories, while withdrawal of this consent communicated to any of these controllers also means withdrawal of consent from all of them and they have to ensure that all of them are ceasing processing (publishing) these data.

The opinion also contains some arguments about the nature of consent in these cases.

Further Resources

Share blogs or news articles here!