November 7, 2022
Belgian telecoms operator Proximus NV provides two Belgian electronic directories, www.1207.be and www.1307.be, and two directory enquiry services, 1207 and 1307. Proximus includes the contact details of its own subscribers as well as those from other telecoms operators in those directories. It also passes the contact details on to other directory providers.
A subscriber to another telecoms operator in Belgium called Telenet, which does not provide directories but gives its subscriber contact details to other operators, including Proximus, complained to the Belgian Data Protection Authority (DPA) when his contact details were included in Proximus’s directories and directory enquiry services despite him having contacted Proximus directly via its website asking for his details not to be included.
The DPA found in favour of the complainant and ordered Proximus to comply with the personal data processing rules under the GDPR. Proximus appealed to the Belgian Court of Appeal, which asked the CJEU whether Articles 12(2) and 2(f) of the Privacy Directive (2002/58/EC) read in conjunction with Article 95 of the GDPR (2016/679/EU) meant that a national supervisory authority (NSA) must gain a subscriber’s consent pursuant to the GDPR in order to publish contact details in directories in the absence of national legislation to the contrary.
The CJEU found that informed consent from a subscriber is necessary for publication of his or her personal data in a public directory. This extends to any subsequent processing of his/her personal data by third-party undertakings active in the directory enquiry services and directories markets, provided that such processing pursues the same purpose.
Consent requires a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes in the form of a statement or of “a clear affirmative action” signifying agreement to the processing of his/her personal data. However, such consent does not require that on the date on which it is given, the data subject is necessarily aware of the identity of all providers of directories which will process his or her personal data.
The CJEU also said that subscribers must be able to withdraw their personal data from directories. Further, any request from a subscriber to have his or her data withdrawn comes under the “right to be forgotten” under Article 17 of the GDPR.
The CJEU also confirmed that a controller of personal data such as Proximus must, by means of appropriate technical and organisational measures, inform other directories providers that the data subject’s consent has been withdrawn. The controller must also ensure that the telephone service operator that communicated the personal data to it is informed so that that operator amends the list of personal data that it automatically forwards to directories providers. Where, as in the present case, the various controllers rely on a single consent, the data subject only has to notify one of the controllers the withdrawal of his/her consent.
Lastly, the CJEU held that a controller such as Proximus is required under the GDPR to ensure that reasonable steps are taken to inform search engine providers of the request for erasure of personal data from the subscriber. (Case C-129/21 Proximus NV v Gegevensbeschermingsautoriteit EU:C:2022:833 (27 October 2022) — to read the judgment in full (in French) click here. To read the press summary in full (in English), click here.