When a subscriber to a telecommunications service withdraws his or her consent to the publication of his or her personal data in a public directory, the company responsible for processing the data is required to put in place appropriate technical and operational measures to inform the other directory providers to which it has supplied the data in question of the withdrawal of the data subject’s consent, the Court of Justice of the European Union (CJEU) ruled in a judgment handed down on Thursday, 27 October (Case C-129/21).
In Belgium, telecoms provider Proximus is challenging in the Belgian courts the decision of the national data protection authority to impose corrective measures and a fine of €20,000 for violating the ‘GPDR’ regulation (2016/679) on the processing of personal data of individuals.
A subscriber to Telenet, another telephone service operator, had asked Proximus not to include his personal data in its directories on the basis of information received from Telenet. Proximus, which had changed the subscriber’s status, then received an update from Telenet of the complainant's data, which was not indicated as confidential. This information was processed automatically by Proximus and was again included in the directories.
In response to the subscriber’s repeated request to remove his data, Proximus replied that it had removed the relevant data from the directories and contacted Google to have the relevant links to the Proximus website removed. Proximus also informed the subscriber that it had passed on his details to other directory providers and that, thanks to monthly updates, these providers had been informed of the request.
Referred to by the Brussels Court of Appeal, the CJEU confirms that consent by a subscriber who has been duly informed is necessary for the purposes of the publication of his or her personal data in a public directory and extends to any subsequent processing of data by third-party undertakings active in the market. That consent requires a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes in the form of a statement or of “a clear affirmative action” signifying agreement to the processing of personal data relating to him or her.
However, such consent does not require that, on the date on which it is given, the data subject is necessarily aware of the identity of all the providers of directories which will process his or her personal data.
According to the Court, subscribers must have the opportunity to have their personal data withdrawn from directories. When the data subject makes use of such a right to erasure (Article 17 of the GDPR), the company responsible for processing the personal data, such as Proximus, must put in place appropriate technical and organisational measures to inform other providers of directories that have received such data from it of the withdrawal of the consent of the data subjects. It must then ensure that the other provider amends the list of personal data that it automatically forwards to that provider of directories. And it must take reasonable steps to inform search engines of the request to remove the subscriber’s personal data.
The Court is of the opinion that, where different controllers rely on the single consent of the data subject, it is sufficient for the data subject to withdraw such consent if he or she addresses only one of the controllers.
See the Court’s judgment: https://aeur.eu/f/3tc (Original version in French by Mathieu Bion)