Court of Appeal of Brussels - 2020/AR/1160 (Second Interim Decision): Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Belgium |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Hof van Beroep |Court_With_Country=Hof van Beroep Brussel (Belgium)...")
 
Line 73: Line 73:


=== Facts ===
=== Facts ===
In this case Proximus had failed to grant a woman's right of erasureof her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator.  
In this case Proximus had failed to grant a woman's right of erasure of her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator.  


The Belgian DPA imposed a fine of 20 000 euros on the defendant defendant for infringement of Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven.
The Belgian DPA imposed a fine of 20 000 euros on the defendant defendant for infringement of Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven.
Line 86: Line 86:
=== Holding ===
=== Holding ===
With regard to the question of whether consent is required or not, the Court of Appeal referred to case law of the Court of Justice, which cites two crucial points:
With regard to the question of whether consent is required or not, the Court of Appeal referred to case law of the Court of Justice, which cites two crucial points:
1° Article 12(1) and recital 38 of the ePrivacy Directive show that subscribers must be given sufficient information before being included in public directories. This allows them to give their free, specific and informed consent within the meaning of Directive 95/46/EC. Reading this together with [[Article 94 GDPR|Article 94 GDPR]] which states that all references to Directive 95/46/EC should be read as references to the GDPR, we can conclude that this constitutes 'consent' in the sense of the GDPR in this context.
 
1° Article 12(1) and recital 38 of the ePrivacy Directive show that subscribers must be given sufficient information before being included in public directories. This allows them to give their free, specific and informed consent within the meaning of Directive 95/46/EC. Reading this together with [[Article 94 GDPR]] which states that all references to Directive 95/46/EC should be read as references to the GDPR, we can conclude that this constitutes 'consent' in the sense of the GDPR in this context.


2° In the same judgment, the Court specifies that it concerns a purpose-related consent and that the identity of the recipients of the personal data is not automatically relevant. Besically, the initial consent of the data subject also includes any other subsequent processing of these data by third parties, provided that this processing has the same purpose. This principle of purpose-related consent is not expressly laid down in Article 12, paragraph 2 of the ePrivacy Directive, but results from a “contextual and systematic interpretation” of this article.  
2° In the same judgment, the Court specifies that it concerns a purpose-related consent and that the identity of the recipients of the personal data is not automatically relevant. Besically, the initial consent of the data subject also includes any other subsequent processing of these data by third parties, provided that this processing has the same purpose. This principle of purpose-related consent is not expressly laid down in Article 12, paragraph 2 of the ePrivacy Directive, but results from a “contextual and systematic interpretation” of this article.  

Revision as of 00:25, 20 July 2021

Hof van Beroep - 2020/AR/1160
Courts logo1.png
Court: Hof van Beroep Brussel (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(4) GDPR
Article 7 GDPR
Article 12 GDPR
Article 17 GDPR
Article 24 GDPR
Article 94(2) GDPR
Art. 12 Directive on privacy and electronic communications (ePrivacy Directive)
133 WEC
Decided: 24.02.2021
Published:
Parties: Proximus N.V.
APD/GBA
National Case Number/Name: 2020/AR/1160
European Case Law Identifier:
Appeal from: APD/GBA
2020/AR/1160
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: Arrest van 24 februari 2021 van het Marktenhof AR 1160 (in Dutch)
Initial Contributor: Matthias Smet

Proximus appealed a decision in which the Belgian DPA imposed a fine on the telecom company.

On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator.

The Court decided Proximus had failed to comply with the data subject's request to remove her data and accused Proximus of unlawful disclosure of the data on to other telephone directories and directory enquiry services. The DPA imposed a fine of EUR 20,000 and ordered to cease the processing activity.

However, the Brussels Court of Appeal subsequently stayed the proceedings pending the reply by the Court of Justice to the request for a preliminary ruling.

English Summary

Facts

In this case Proximus had failed to grant a woman's right of erasure of her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator.

The Belgian DPA imposed a fine of 20 000 euros on the defendant defendant for infringement of Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven.

Besides that the DPA orders to cease any futher disclosing of personal data of subscribers to third parties of telephone directory or inquiry services when Proximus acquired these data only as a provider of telephone directories and directory enquiry services, taking into account a transition period in order to give Proximus, and in a broader context the sector, the opportunity to develop a new privacy compliant system.

Dispute

- Should the indication of wishes required by Art. 133 WEC be regarded as a right of choice (opt-out system) or as consent within the meaning of the GDPR? - Does the republication of the personal data constitute unlawful processing of personal data? - Is there an obligation to pass on a data subject's request to the source of personal data or to third parties other than recipients?

Holding

With regard to the question of whether consent is required or not, the Court of Appeal referred to case law of the Court of Justice, which cites two crucial points:

1° Article 12(1) and recital 38 of the ePrivacy Directive show that subscribers must be given sufficient information before being included in public directories. This allows them to give their free, specific and informed consent within the meaning of Directive 95/46/EC. Reading this together with Article 94 GDPR which states that all references to Directive 95/46/EC should be read as references to the GDPR, we can conclude that this constitutes 'consent' in the sense of the GDPR in this context.

2° In the same judgment, the Court specifies that it concerns a purpose-related consent and that the identity of the recipients of the personal data is not automatically relevant. Besically, the initial consent of the data subject also includes any other subsequent processing of these data by third parties, provided that this processing has the same purpose. This principle of purpose-related consent is not expressly laid down in Article 12, paragraph 2 of the ePrivacy Directive, but results from a “contextual and systematic interpretation” of this article.

Given the fact that this is a complex matter which raises some questions that are not yet tackled by the legislator, the Brussels Court of Appeal stayed the proceedings to request the Court of Justice for a preliminary ruling regarding following questions:

1° Should Article 72.2 of the e-Privacy Directive 2002/58/EC, read in conjunction with Article 2(f) of that directive and with Article 95 of the General Data Protection Regulation to be interpreted as allowing a national supervisory to be interpreted as permitting a national supervisory authority to require the 'consent' of a subscriber within the meaning of the General Data Protection Regulation as the basis for the publication of the subscriber's personal data in public directories and directory enquiry services, both those published by the operator itself and by thirdproviders, providers, in the absence of national legislation to the contrary?

2° Should the right of erasure contained in Article 17 of the General Data Protection Regulation be interpreted as precluding a national supervisory authority from considering a request by an individual for removalfrom public directories and directory enquiry services as a request for erasure within the meaning of Article 17 of the General Data Protection Regulation?

3° Must Article 24 and Article 5(2) of the General Data Protection Regulation be interpreted as precluding a national supervisory authority from concluding from the accountability obligation contained therein that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service provider and, inter alia, providers of telephone directories and directory enquiry services who have received data from that controller, of any withdrawal of consent by the data subject in accordance with Article 6 juncto Article 7 of the Regulation?

4° Must Article 17.2 of the General Data Protection Regulation be interpreted as precluding a national supervisory authority from ordering a provider of public directories and directory enquiry services who is requested to cease disclosing data relating to an individual to take reasonable steps to inform search engines of that request for deletion of data?

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.