ECJ i.S. Pro­xi­mus (Case C‑129/21, 27.10.22): Infor­ma­ti­on requi­re­ments in case of dele­ti­on in a pro­ce­s­sing chain

On Octo­ber 27, 2022, the ECJ addres­sed its­elf in its Judgment C‑129/21 i.S. Pro­xi­mus dealt with the que­sti­on of whe­ther a link in a pro­ce­s­sing or trans­fer chain must inform the other links befo­re and after it of a deletion:

The sub­ject mat­ter was a tele­pho­ne direc­to­ry (sub­scri­ber direc­to­ry). The complainant’s pro­vi­der, Tel­en­et, had pas­sed direc­to­ry data on to Pro­xi­mus, ano­ther Bel­gi­an pro­vi­der, among others.

The first two sub­mis­si­on que­sti­ons can be brief­ly summarized:

  • The ECJ first sta­tes that Art. 12 para. 2 of the e‑Privacy Direc­ti­ve 2002Con­sent requi­red for inclu­si­on in sub­scri­ber direc­to­riesHowe­ver, this con­sent is not limi­t­ed to a spe­ci­fic pro­vi­der – with the initi­al con­sent, the direc­to­ry data may the­r­e­fo­re be dis­c­lo­sed to ano­ther pro­vi­der, pro­vi­ded the pur­po­se of the pro­ce­s­sing is not exten­ded (as alre­a­dy sta­ted in the Deut­sche Tele­kom judgment), ECJ Case C‑543/09 dated 5.5.2011). The initi­al con­sent must meet the requi­re­ments of the GDPR.
  • If a sub­scri­ber requests that his or her per­so­nal data be remo­ved from sub­scri­ber direc­to­ries, pro­vi­ders must then com­ply – this is an exer­cise of the “Right to can­cel­la­ti­on” within the mea­ning of Art. 17 GDPR.

The third que­sti­on sub­mit­ted is more explo­si­ve. Here, it was a que­sti­on of whe­ther a direc­to­ry pro­vi­der must inform other pro­vi­ders accor­din­gly in the event of dele­ti­on, against the back­ground of the trans­fer chain:

This pro­vi­der may, in turn, trans­fer the data to other pro­vi­ders of sub­scri­ber direc­to­ries on the basis of the same con­sent, thus crea­ting a chain of con­trol­lers that pro­cess the data one after the other inde­pendent­ly on the basis of the same consent

The que­sti­on here was more spe­ci­fi­cal­ly whe­ther a pro­vi­der in the midd­le, to whom the revo­ca­ti­on of con­sent was declared, must also inform the upstream and down­stream links in the chain:

[…] whe­ther, when a sub­scri­ber of a tele­pho­ne ser­vice pro­vi­der with­draws con­sent to be inclu­ded in that provider’s direc­to­ries, a direc­to­ry ser­vice pro­vi­der such as Pro­xi­mus must not only update its own data­ba­se […] but also inform the tele­pho­ne ser­vice pro­vi­der that trans­mit­ted the data in que­sti­on to it, as well as the other direc­to­ry ser­vice pro­vi­ders to which it its­elf trans­mit­ted data, of the withdrawal.

The ECJ ans­we­red this que­sti­on in the affir­ma­ti­ve with the fol­lo­wing considerations:

  • After revo­ca­ti­on of con­sent, fur­ther pro­ce­s­sing would be unlawful within the mea­ning of the GDPR (lack of legal basis).
  • The con­trol­ler must be able to pro­ve the lawful­ness of its pro­ce­s­sing pur­su­ant to Art. 5 GDPR. Accor­ding to Art. 24 GDPR, he must also imple­ment appro­pria­te tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re lawful­ness and its proof.
  • More spe­ci­fi­cal­ly, Art. 19 GDPR pro­vi­des that the con­trol­ler shall noti­fy all reci­pi­en­ts to whom per­so­nal data have been dis­c­lo­sed of any era­su­re, unless this is impos­si­ble or disproportionate.

From this, the ECJ draws the fol­lo­wing conclusion:

85 In order to ensu­re the effec­ti­ve­ness of the right to with­draw con­sent pro­vi­ded for in Artic­le 7(3) of the GDPR and to ensu­re that the data subject’s con­sent is strict­ly rela­ted to the pur­po­se for which it was given, the con­trol­ler to whom the data sub­ject has with­drawn his or her con­sent to the pro­ce­s­sing of his or her per­so­nal data shall, in accordance with the Commission’s per­ti­nent comm­ents, in effect obli­ged to inform any per­son who has com­mu­ni­ca­ted such data to him, as well as the per­son to whom he in turn has com­mu­ni­ca­ted the data, of the revo­ca­ti­on. The respon­si­ble per­sons infor­med accor­din­gly are then in turn obli­ged, to for­ward this infor­ma­ti­on to the other data con­trol­lers to whom they have trans­mit­ted such data.

With regard to the fourth que­sti­on refer­red for a preli­mi­na­ry ruling, the ECJ fur­ther sta­tes that the respon­si­ble per­son even Search engi­ne pro­vi­der – who are their own respon­si­ble per­sons – must inform:

96 In cir­cum­stances such as tho­se of the main pro­ce­e­dings, it must the­r­e­fo­re be assu­med that a con­trol­ler such as Pro­xi­mus, pur­su­ant to Artic­le 17(2) GDPR. must take rea­sonable mea­su­res to inform search engi­ne pro­vi­ders of the request recei­ved by it from the sub­scri­ber of a tele­pho­ne ser­vice pro­vi­der for the dele­ti­on of his per­so­nal data. Howe­ver, as the Advo­ca­te Gene­ral poin­ted out in point 76 of his Opi­ni­on, Artic­le 17(2) GDPR pro­vi­des that the assess­ment of the ade­qua­cy of the mea­su­res taken by the direc­to­ry pro­vi­der must take into account the available tech­no­lo­gy and the imple­men­ta­ti­on costs, and that this assess­ment is pri­ma­ri­ly for the com­pe­tent aut­ho­ri­ty and is sub­ject to judi­cial review.

The­se con­side­ra­ti­ons of the ECJ are not limi­t­ed to sub­scri­ber direc­to­ries. It can the­r­e­fo­re be assu­med that the ECJ would gene­ral­ly deci­de in the same way in other pro­ce­s­sing chains, i.e. that the revo­ca­ti­on of con­sent would gene­ral­ly have to be com­mu­ni­ca­ted to the upstream and down­stream links. This ulti­m­ate­ly as part of the com­pli­ance system that the con­trol­ler must ope­ra­te in par­ti­cu­lar due to Art. 24 GDPR.

Howe­ver, this can­not be trans­fer­red to Switz­er­land or the DPA.:

  • At Draft of the revi­sed VDSG it was still sti­pu­la­ted that the con­trol­ler must inform reci­pi­en­ts of data “wit­hout undue delay about the cor­rec­tion, dele­ti­on or des­truc­tion as well as the rest­ric­tion of the pro­ce­s­sing of per­so­nal data” (then Art. 16; cri­ti­cal­ly here). This pro­vi­si­on was right­ly not inclu­ded in the DSV. It would the­r­e­fo­re be incom­pa­ti­ble with the will of the legis­la­tor to distill such obli­ga­ti­ons from gene­ral prin­ci­ples. Switz­er­land also does not have an accoun­ta­bi­li­ty obli­ga­ti­on as the ECJ sta­tes here.
  • The prin­ci­ple of pri­va­cy by design then also applies in the FADP, but it does not spe­ci­fy any addi­tio­nal sub­stan­ti­ve obli­ga­ti­ons, but only requi­res exi­sting obli­ga­ti­ons to be proac­tively safe­guard­ed (i.e., it cuts off the controller’s objec­tion that it can­not ful­fill a cer­tain data pro­tec­tion obli­ga­ti­on due to the system design).




Rela­ted articles