Where a data subject provides consent to different controllers for the processing of the same personal data, it is sufficient for such data subject to notify just one of the controllers of the withdrawal of such consent and request for data erasure.

It is then up to such notified controller to take the necessary steps to inform the other controllers of the notification made by the data subject, the Court of Justice of the European Union (CJEU) has recently affirmed.

The EU’s General Data Protection Regulation (GDPR) regulates how personal data is collected, processed and erased. It endows individuals with the right to exercise control over the processing of their personal data. This includes the right of a data subject to request to have personal data provided to a third party for any purpose erased without undue delay.

Though the right to be forgotten is not an absolute one; the GDPR outlines a number of instances when an individual may exercise such right, such as when the personal data is no longer required by the third party who is in possession of such data for the purpose for which it was originally collected or processed.

Similarly, in those cases where the processing of an individual’s personal data by a third party is solely dependent on the individual’s consent, the latter may withdraw such consent and, consequentially, request for the erasure of such data.

Another specific EU law regulates the processing of personal data by the electronic communications industry. It makes provision for certain safeguards to ensure the users’ right to privacy and confidentiality. Among other rules, this law also stipulates that user consent is specifically required in certain instances, including prior to the publication of telephone numbers, e-mail addresses or postal addresses in public directories.

The facts of this case were briefly as follows. Proximus, a provider of telecommunication services in Belgium, also publishes telephone directories and directory enquiry services.

The directories contain the name, address and telephone number of the subscribers of various providers of public telephone services. Such contact details are communicated to Proximus by the telephone service providers, except where the subscriber has expressed the wish not to be included in the directories. In turn, Proximus supplies the contact details that it receives to another provider of directories.

A telephone service provider, Telenet, passed on the contact details of its subscribers to Proximus. One of those subscribers asked Proximus not to include his contact details in directories published both by Proximus and by third parties. Proximus acceded to such request so that the subscriber’s contact details were no longer made public.

Subsequently, an update of the data of the subscriber concerned was received by Proximus from Telenet, with no indication that such data was to be considered as confidential.

The information was processed automatically by Proximus and was recorded, with the result that it was again included in the directories. In response to various requests by the subscriber for his data not to be included, Proximus affirmed that it had withdrawn the data concerned from the directories and had contacted Google to have the relevant links to Proximus’ website deleted.

Proximus also informed the subscriber that it had forwarded his contact details to other providers of directories and that, via the monthly updates, those providers had been informed of the request. Nonetheless, the subscriber submitted a complaint to the Belgian Data Protection Authority. The latter ordered Proximus to take remedial action and to pay a fine for infringement of the GDPR.

The court concluded that, where various controllers rely on the single consent of the data subject, it is sufficient for such data subject to notify just one controller of the withdrawal of such consent

Proximus appealed against such a decision, arguing that the consent of the subscriber is not required for the purpose of the publication of his/her personal data in the telephone directories, but rather that the subscribers must themselves request not to be included in such directories under an ‘opt-out’ system. In the absence of such a request, the subscriber concerned may, in fact, be included in the directories.

The Data Protection Authority counter-argued that the EU law regulating privacy and electronic communications requires the “consent of subscribers” within the meaning of the GDPR in order for the providers of directories to be able to process and pass on their personal data.

The case was referred by the national appellate court to the CJEU for a preliminary ruling as to how the EU laws in question were to be interpreted within the context of the case at hand.

The CJEU confirmed that consent by a subscriber who has been duly informed is necessary for the purposes of the publication of his/her personal data in a public directory. Such consent extends to any subsequent processing of the data by third-party undertakings dealing in public directory enquiry services and directories.

The court observed that the consent must be a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes in the form of a statement or of “a clear affirmative action” signifying agreement to the processing of personal data relating to him or her.

However, it is not necessary that on the date on which the consent was given, the data subject was aware of the identity of all the providers of directories which would be processing his/her personal data.

The court affirmed that subscribers must also have the opportunity to have their personal data withdrawn from directories which is tantamount to the right to erasure provided for by the GDPR.

In terms of the latter regulation, a controller of personal data such as Proximus must, by means of appropriate technical and organisational measures, inform the other providers of directories that have received such data from it of the withdrawal of the consent of the data subject.

This includes the obligation for the notified controller to also notify the telephone service provider, the original source of the personal data, in this case Telenet, to cease from automatically forwarding any updates in relation to such data to providers of directories such as Proximus.

The court concluded that, where various controllers rely on the single consent of the data subject, it is sufficient for such data subject to notify just one controller of the withdrawal of such consent.

The onus then lies on the notified controller to take the necessary steps to inform both search engine providers and other controllers depending on the consent of the data subject for the processing of the same data, of the withdrawal of consent and request for erasure of personal data.

The right for individuals to decide who can process their personal data and how can such data be processed is strictly regulated by EU laws. The interpretation as to the application in practice of the rights of data subjects emanating from such laws, as is the right of a data subject to request for erasure of personal data, is indispensable for a harmonised approach towards the exercise of such rights across all EU member states.

Mariosa Vella Cardona is a freelance legal consultant specialising in European law, as well as a visiting examiner at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.