Court of Appeal of Brussels - 2020/AR/1160 (Second Interim Decision): Difference between revisions
No edit summary |
No edit summary |
||
Line 5: | Line 5: | ||
|Courtlogo=Courts_logo1.png | |Courtlogo=Courts_logo1.png | ||
|Court_Abbrevation=Hof van Beroep | |Court_Abbrevation=Hof van Beroep | ||
|Court_With_Country=Hof van | |Court_With_Country=Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium) | ||
|Case_Number_Name=2020/AR/1160 | |Case_Number_Name=2020/AR/1160 | ||
Line 61: | Line 61: | ||
| | | | ||
}} | }} | ||
The Court | |||
The Court | The Court of Appeal of Brussels fined a telecom operator €20,000 for failure to comply with a data subject's request to remove her data and illegal sharing of her data with other telephone directories. The Court referred several questions to the CJEU regarding the interaction between the GDPR and ePrivacy Directive. | ||
== English Summary == | == English Summary == | ||
Line 69: | Line 69: | ||
In this case Proximus had failed to grant a woman's right of erasure of her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator. | In this case Proximus had failed to grant a woman's right of erasure of her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator. | ||
The Belgian DPA imposed a fine of | The Belgian DPA imposed a fine of €20,000 on the defendant defendant for infringement of Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven. | ||
In addition, the DPA ordered the defendant to cease any further disclosure of personal data of subscribers to third parties of telephone directory or inquiry services when Proximus acquired these data only as a provider of telephone directories and directory enquiry services, taking into account a transition period in order to give Proximus (and the telecommunications sector in a broader context) the opportunity to develop a new privacy compliant system. | |||
=== Dispute === | === Dispute === |
Revision as of 08:17, 21 July 2021
Hof van Beroep - 2020/AR/1160 | |
---|---|
Court: | Cour d'appel de Bruxelles/ Hof van beroep Brussel (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6(4) GDPR Article 7 GDPR Article 12 GDPR Article 17 GDPR Article 24 GDPR Article 94(2) GDPR Art. 12 Directive on privacy and electronic communications (ePrivacy Directive) 133 WEC |
Decided: | 24.02.2021 |
Published: | |
Parties: | Proximus N.V. APD/GBA |
National Case Number/Name: | 2020/AR/1160 |
European Case Law Identifier: | |
Appeal from: | APD/GBA 2020/AR/1160 |
Appeal to: | Not appealed |
Original Language(s): | Dutch |
Original Source: | Arrest van 24 februari 2021 van het Marktenhof AR 1160 (in Dutch) |
Initial Contributor: | Matthias Smet |
The Court of Appeal of Brussels fined a telecom operator €20,000 for failure to comply with a data subject's request to remove her data and illegal sharing of her data with other telephone directories. The Court referred several questions to the CJEU regarding the interaction between the GDPR and ePrivacy Directive.
English Summary
Facts
In this case Proximus had failed to grant a woman's right of erasure of her personal data and had passed the data on to other telephone directories and directory enquiry services even after receiving several complaints and correspondence from the data subject. On request of the data subject, Proximus had changed the code linked to the data subject's data from 'visible' to 'confidential'. After adjusting the code regarding publication, Proximus received new contact details of the person concerned from her operator, as a result of which the data in the underlying database was automatically overwritten with the new data from the operator.
The Belgian DPA imposed a fine of €20,000 on the defendant defendant for infringement of Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven.
In addition, the DPA ordered the defendant to cease any further disclosure of personal data of subscribers to third parties of telephone directory or inquiry services when Proximus acquired these data only as a provider of telephone directories and directory enquiry services, taking into account a transition period in order to give Proximus (and the telecommunications sector in a broader context) the opportunity to develop a new privacy compliant system.
Dispute
- Should the indication of wishes required by Art. 133 WEC be regarded as a right of choice (opt-out system) or as consent within the meaning of the GDPR?
- Does the republication of the personal data constitute unlawful processing of personal data?
- Is there an obligation to pass on a data subject's request to the source of personal data or to third parties other than recipients?
Holding
With regard to the question of whether consent is required or not, the Court of Appeal referred to case law of the Court of Justice, which cites two crucial points:
1° Article 12(1) and recital 38 of the ePrivacy Directive show that subscribers must be given sufficient information before being included in public directories. This allows them to give their free, specific and informed consent within the meaning of Directive 95/46/EC. Reading this together with Article 94 GDPR which states that all references to Directive 95/46/EC should be read as references to the GDPR, we can conclude that this constitutes 'consent' in the sense of the GDPR in this context.
2° In the same judgment, the Court specifies that it concerns a purpose-related consent and that the identity of the recipients of the personal data is not automatically relevant. Basically, the initial consent of the data subject also includes any other subsequent processing of these data by third parties, provided that this processing has the same purpose. This principle of purpose-related consent is not expressly laid down in Article 12, paragraph 2 of the ePrivacy Directive, but results from a “contextual and systematic interpretation” of this article.
Given the fact that this is a complex matter which raises some questions that are not yet tackled by the legislator, the Brussels Court of Appeal stayed the proceedings to request the Court of Justice for a preliminary ruling regarding four questions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.